[Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on renegotiation,
the same issue that was partially fixed for server mode in [GH#773]. Reported
on Windows with -e by pkreuzt and vinod272. [Daniel Miller]

[NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle
misbehaving or rate-limiting services. Most significantly,
brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for
reporing infinite loops and proposing changes.

Removed deprecated and undocumented aliases for several long options that
used underscores instead of hyphens, such as --max_retries. [Daniel Miller]

When a soft match occurs, any probes that could result in a match with the
same service will be sent regardless of rarity, improving the chances of
matching unusual services on non-standard ports. [Daniel Miller]

--version-all now turns off the soft match optimization, ensuring that all
probes really are sent, even if there aren't any existing match lines for the
softmatched service. [Daniel Miller]

Increased effectiveness of service scan soft matches. Previously, all probes
which matched the port being scanned would be sent regardless of whether the
service was soft matched; softmatch lines only restricted non-port-matching
probes from being sent. Now, a soft match will cause ALL non-service-matching
probes to be skipped, even if the port number matches. [Daniel Miller]

[GH#977] Improved DNS service version detection coverage and consistency
by using data from a Project Sonar Internet wide survey. Numerouse false
positives were removed and reliable softmatches added. Match lines for
version.bind responses were also conslidated using the technique below.
[Tom Sellers]

[GH#977] Changed version probe fallbacks so as to work cross protocol
(TCP/UDP). This enables consolidating match lines for services where the
responses on TCP and UDP are similar. [Tom Sellers]

[NSE][GH#532] Added zlib library for NSE. This was a leftover project from
GSOC 2014, and will be very useful. [Claudiu Perta, Daniel Miller]

[NSE][GH#1004] Fixed handling of brute.retries variable. It was being treated
as the number of tries, not retries, and a value of 0 would result in
infinite retries. Instead, it is now the number of retries, defaulting to 2
(3 total tries), with no option for infinite retries.

[NSE][GH#987] Adds smb-enum-services.nse. It retrieves the list of services
running on a remote Windows machine. Modern Windows systems requires a
privileged domain account in order to list the services. [Rewanth Cool]

[GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We
were always reporting the version number of the included source, even when a
different version was linked. [Pavel Zhukov]

Add a new helper function for nmap-service-probes match lines: $I(1,">") will
unpack an unsigned big-endian integer value up to 8 bytes wide from capture
1. The second option can be "<" for little-endian. [Daniel Miller]

Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]

[NSE] Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
Carriage Return characters were being sent in the connection packets, likely
resulting in failure of the script. [Anant Shrivastava]

[Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes
for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]

Integrated all of your service/version detection fingerprints submitted from
September to March (855 of them). The signature count went up 2.9% to 11,418.
We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon,
slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140

[NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:

http-security-headers checks for the HTTP response headers related to
security given in OWASP Secure Headers Project, giving a brief description
of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]

[GH#713]impress-remote-discover attempts to pair with the LibreOffice
Impress presentation remote service and extract version info. Pairing is
PIN-protected, and the script can optionally brute-force the PIN. New
service probe and match line also added. [Jeremy Hiebert]

vmware-version queries VMWare SOAP API for version and product information.
Submitted in 2011, this was mistakenly turned into a service probe that was
unable to elicit any matches. [Aleksey Tyurin]

[Ncat] A series of changes and fixes based on feedback from the Red Hat community:

[GH#157] Ncat will now continue trying to connect to each resolved address
for a hostname before declaring the connection refused, allowing it to
fallback from IPv6 to IPv4 or to connect to names that use DNS failover.
[Jaromir Koncicky, Michal Hlavinka]

The --no-shutdown option now also works in connect mode, not only in listen mode.

Made -i/--idle-timeout not cause Ncat in server mode to close while
waiting for an initial connection. This was also causing -i to interfere
with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]

[GH#773] Ncat in server mode properly handles TLS renegotiations and other
situations where SSL_read returns a non-fatal error. This was causing
SSL-over-TCP connections to be dropped. [Daniel Miller]

Enable --ssl-ciphers to be used with Ncat in client mode, not only in
server (listen) mode. [Daniel Miller]

[NSE] New script argument "vulns.short" will reduce vulns library script
output to a single line containing the target name or IP, the vulnerability
state, and the CVE ID or title of the vulnerability. [Daniel Miller]

[NSE][GH#862] SNMP scripts will now take a community string provided like
`--script-args creds.snmp=private`, which previously did not work because it
was interpreted as a username. [Daniel Miller]

[NSE] Resolved several issues in the default HTTP redirect rules:

[GH#826] A redirect is now cancelled if the original URL contains
embedded credentials

[GH#829] A redirect test is now more careful in determining whether
a redirect destination is related to the original host

[GH#830] A redirect is now more strict in avoiding possible redirect
loops

[nnposter]

[NSE][GH#766] The HTTP Host header will now include the port unless it is
the default one for a given scheme. [nnposter]

[NSE] The HTTP response object has a new member, fragment, which contains
a partially received body (if any) when the overall request fails to
complete. [nnposter]

[NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which
are silently ignored (in accordance with RFC 6265). Unrecognized attributes
were previously causing HTTP requests with such cookies to fail. [nnposter]

[NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted
whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]

[NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie
header that has an extraneous trailing semicolon. [nnposter]

[NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated
with option any_af. As an added benefit, option any_af is now available for
all connections via comm.lua, not just HTTP requests. [nnposter]

[NSE][GH#781] There is a new common function, url.get_default_port(),
to obtain the default port number for a given scheme. [nnposter]

[NSE][GH#833] Function url.parse() now returns the port part as a number,
not a string. [nnposter]

No longer allow ICMP Time Exceeded messages to mark a host as down during
host discovery. Running traceroute at the same time as Nmap was causing
interference. [David Fifield]

[NSE][GH#807] Fixed a JSON library issue that was causing long integers
to be expressed in the scientific/exponent notation. [nnposter]

[NSE] Fixed several potential hangs in NSE scripts that used
receive_buf(pattern), which will not return if the service continues to send
data that does not match pattern. A new function in match.lua, pattern_limit,
is introduced to limit the number of bytes consumed while searching for the
pattern. [Daniel Miller, Jacek Wielemborek]

[Nsock] Handle any and all socket connect errors the same: raise as an Nsock
error instead of fatal. This prevents Nmap and Ncat from quitting with
"Strange error from connect:" [Daniel Miller]

[NSE][GH#627] Fixed script hang in several brute scripts due to the "threads"
script-arg not being converted to a number. Error message was
"nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]

Integrated all of your IPv4 OS fingerprint submissions from April to
September (568 of them). Added 149 fingerprints, bringing the new total to
5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more.
Highlights: http://seclists.org/nmap-dev/2016/q4/110 [Daniel Miller]

Integrated all of your service/version detection fingerprints submitted from
April to September (779 of them). The signature count went up 3.1% to 11,095.
We now detect 1161 protocols, from airserv-ng, domaintime, and mep to
nutcracker, rhpp, and usher. Highlights: http://seclists.org/nmap-dev/2016/q4/115
[Daniel Miller]

Fix reverse DNS on Windows which was failing with the message "mass_dns:
warning: Unable to determine any DNS servers." This was because the interface
GUID comparison needed to be case-insensitive. [Robert Croteau]

[NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:

[NSE][GH#518] Brute scripts are faster and more accurate. New feedback and
adaptivity mechanisms in brute.lua help brute scripts use resources more
efficiently, dynamically changing number of threads based on protocol
messages like FTP 421 errors, network errors like timeouts, etc.
[Sergey Khegay]

[GH#353] New option --defeat-icmp-ratelimit dramatically reduces UDP scan
times in exchange for labeling unresponsive (and possibly open) ports as
"closed|filtered". Ports which give a UDP protocol response to one of Nmap's
scanning payloads will be marked "open". [Sergey Khegay]

[NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that
service at some point. Reported by Brian Morin.

[Ncat] Restore the connection success message that Ncat prints with -v. This
was accidentally suppressed when not using -z.

[GH#316] Added scan resume from Nmap's XML output. Now you can --resume a
canceled scan from all 3 major output formats: -oN, -oG, and -oX.
[Tudor Emil Coman]

[Ndiff][GH#591] Fix a bug where hosts with the same IP but different
hostnames were shown as changing hostnames between scans. Made sort stable
with regard to hostnames. [Daniel Miller]

[NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for
TLS Server Name Indication extension. The argument overrides the default use
of the host's targetname. [Bertrand Bonnefoy-Claudet]

[NSE][GH#588] Fix a crash in smb.lua when using smb-ls due to a
floating-point number being passed to os.time ("bad argument").
[Dallas Winger]

[NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in
mysql-brute and other scripts due to including a null terminator in the salt
value. This bug affects Nmap 7.25BETA2 and later releases. [Daniel Miller]

The --open option now implies --defeat-rst-ratelimit. This may result in
inaccuracies in the numbers of "Not shown:" closed and filtered ports, but
only in situations where it also speeds up scan times. [Daniel Miller]

[Windows] Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing
increased stability, bug fixes, and raw 802.11 WiFi capture (unused
by Nmap). Further details on these changes can be found at
https://github.com/nmap/npcap/releases. [Yang Luo]

Fixed the way Nmap handles scanning names that resolve to the same IP. Due to
changes in 7.30, the IP was only being scanned once, with bogus results
displayed for the other names. The previous behavior is now restored.
[Tudor Emil Coman]

[Nping][GH#559] Fix Nping's ability to use Npcap on Windows. A privilege
check was performed too late, so the Npcap loading code assumed the user had no
rights. [Yang Luo, Daniel Miller]

[GH#350] Fix an assertion failure due to floating point error in equality
comparison, which triggered mainly on OpenBSD:

assertion "diff <= interval" failed: file "timing.cc", line 440

This was reported earlier as [GH#472] but the assertion fixed there was a
different one. [David Carlier]

[Zenmap] Fix a crash in the About page in the Spanish translation due to a
missing format specifier:

File "zenmapGUI\About.pyo", line 217, in __init__
TypeError: not all arguments converted during string formatting

[Daniel Miller]

[Zenmap][GH#556] Better visual indication that display of hostname is tied to
address in the Topology page. You can show numeric addresses with hostnames
or without, but you can't show hostnames without numeric addresses when they
are not available. [Daniel Miller]

To increase the number of IPv6 fingerprint submissions, a prompt for
submission will be shown with some random chance for successful matches of OS
classes that are based on only a few submissions. Previously, only
unsuccessful matches produced such a prompt. [Daniel Miller]

Upgraded Npcap, our new Windows packet capturing driver/library,
from version to 0.09 to 0.10r2. This includes many bug fixes, with a
particular on emphasis on concurrency issues discovered by running
hundreds of Nmap instances at a time. More details are available
from https://github.com/nmap/npcap/releases. [Yang Luo, Daniel
Miller, Fyodor]

Improved some output filtering to remove or escape carriage returns ('\r')
that could allow output spoofing by overwriting portions of the screen. Issue
reported by Adam Rutherford. [Daniel Miller]

[NSE] Fixed a few bad Lua patterns that could result in denial of service due
to excessive backtracking. [Adam Rutherford, Daniel Miller]

Fixed a discrepancy between the number of targets selected with -iR and the
number of hosts scanned, resulting in output like "Nmap done: 1033 IP
addresses" when the user specified -iR 1000. [Daniel Miller]

Fixed a bug in port specification parsing that could cause extraneous
'T', 'U', 'S', and 'P' characters to be ignored when they should have
caused an error. [David Fifield]

[GH#543] Restored compatibility with LibreSSL, which was lost in adding
library version checks for OpenSSL 1.1. [Wonko7]

[Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting
in this message instead of Ndiff output:

[NSE] Added 2 NSE scripts, bringing the total up to 534! They are both listed
at https://nmap.org/nsedoc/, and the summaries are below:

oracle-tns-version decodes the version number from Oracle Database Server's
TNS listener. [Daniel Miller]

clock-skew analyzes and reports clock skew between Nmap and services that
report timestamps, grouping hosts with similar skews. [Daniel Miller]

Integrated all of your service/version detection fingerprints submitted from
January to April (578 of them). The signature count went up 2.2% to 10760.
We now detect 1122 protocols, from elasticsearch, fhem, and goldengate to
ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]

[Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only
zenmap.conf. User will be warned that config cannot be saved and that they
should fix the file permissions. [Daniel Miller]

[NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support,
like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers
will label the ciphersuite strength as "unknown." Reported by Bertrand
Bonnefoy-Claudet. [Daniel Miller]

[NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations
against LDAP services when version detection or STARTTLS were used.
[Tom Sellers]

[GH#426] Remove a workaround for lack of selectable pcap file descriptors on
Windows, which required including pcap-int.h and locking us to a single
version of libpcap. The new method, using WaitForSingleObject should work
with all versions of both WinPcap and Npcap. [Daniel Miller]

[NSE][GH#234] Added a --script-timeout option for limiting run time for
every individual NSE script. [Abhishek Singh]

[Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in
traditional netcat, it can be used to quickly check the status of a
port. Port ranges are not supported since we recommend a certain other tool
for port scanning. [Abhishek Singh]

Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and
"nmap" with no options result in the same behaviors as on Linux (and no
crashes) [Daniel Miller]

[NSE]ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode,
which are vulnerable to the SWEET32 attack.

[NSE][GH#117]tftp-enum now only brute-forces IP-address-based Cisco filenames when
the wordlist contains "{cisco}". Previously, custom wordlists would still end
up sending these extra 256 requests. [Sriram Raghunathan]

[GH#140] Allow target DNS names up to 254 bytes. We previously imposed an
incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]

[NSE] The hard limit on number of concurrently running scripts can now
increase above 1000 to match a high user-set --min-parallelism value. [Tudor
Emil Coman]

[NSE] Solved a memory corruption issue that would happen if a socket connect
operation produced an error immediately, such as Network Unreachable. The
event handler was throwing a Lua error, preventing Nsock from cleaning up
properly, leaking events. [Abhishek Singh, Daniel Miller]

[NSE] Added the datetime library for performing date and time calculations,
and as a helper to the clock-skew script.

[GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully
handling truncated replies. If a response is too long, we now fall back to
using the system resolver to answer it. [Abhishek Singh]

[Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]

Nmap now ships with and uses Npcap, our new packet sniffing library
for Windows. It's based on WinPcap (unmaintained for years), but
uses modern Windows APIs for better performance. It also includes
security improvements and many bug fixes. See http://npcap.org. And
it enables Nmap to perform SYN scans and OS detection against
localhost, which we haven't been able to do on Windows since
Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel
Miller, Fyodor]

[NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below
(authors are listed in brackets):

Integrated all of your IPv4 OS fingerprint submissions from January
to April (539 of them). Added 98 fingerprints, bringing the new total
to 5187. Additions include Linux 4.4, Android 6.0, Windows Server
2016, and more. [Daniel Miller]

Integrated all 31 of your IPv6 OS fingerprint submissions from January to
June. The classifier added 2 groups and expanded several others. Several
Apple OS X groups were consolidated, reducing the total number of groups to
93. [Daniel Miller]

Update oldest supported Windows version to Vista (Windows 6.0). This enables
the use of the poll Nsock engine, which has significant performance and
accuracy advantages. Windows XP users can still use Nmap 7.12, available from
https://nmap.org/dist/?C=M&O=D [Daniel Miller]

[NSE] Fix a crash that happened when trying to print the percent done of 0
NSE script threads:

This would happen if no scripts were scheduled in a scan phase and the user
pressed a key or specified a short --stats-every interval. Reported by
Richard Petrie. [Daniel Miller]

[GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown
address family 0" crash on Windows and other platforms that do not set the
src_addr argument to recvfrom for TCP sockets. [Daniel Miller]

Retrieve the correct network prefix length for an adapter on Windows. If more
than one address was configured on an adapter, the same prefix length would
be used for both. This incorrect behavior is still used on Windows XP and
earlier. Reported by Niels Bohr. [Daniel Miller]

[NSE] Update to enable smb-os-discovery to augment version detection
for certain SMB related services using data that the script discovers.
[Tom Sellers]

Improved version detection and descriptions for Microsoft and Samba
SMB services. Also addresses certain issues with OS identification.
[Tom Sellers]

[NSE]ssl-enum-ciphers will give a failing score to any server with an RSA
certificate whose public key uses an exponent of 1. It will also cap the
score of an RC4-ciphersuite handshake at C and output a warning referencing
RFC 7465. [Daniel Miller]

[NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua .
[Daniel Miller]

[GH#454] The OS X binary package is distributed in a .dmg disk image that now
features an instructive background image. [Vincent Dumont]

[GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to
provide all dependencies. We no longer use Macports for this purpose.
[Vincent Dumont]

[GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable
location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead of
next to the zenmap.exe executable. This avoids a warning message when closing
Zenmap if it produced any stderr output. [Daniel Miller]

[NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse.
Also added version detection and information extraction to match the
new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]

[GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq
and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The
Probes will elicit responses from target services that allow better finger
-printing and information extraction. Also added nmap-payload entry for
detecting LDAP on udp. [Tom Sellers]

[NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of
authentication sub-types in vnc-info, and all zero-authentication types are
recognized and reported. [Daniel Miller]

[NSE][GH#341] Added support for diffie-hellman-group-exchange-* SSH key
exchange methods to ssh2.lua, allowing ssh-hostkey to run on servers that
only support custom Diffie-Hellman groups. [Sergey Khegay]

Integrated all of your IPv4 OS fingerprint submissions from October to
January (536 of them). Added 104 fingerprints, bringing the new total to
5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.
Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]

Integrated all of your service/version detection fingerprints submitted from
October to January (508 of them). The signature count went up 2.2% to 10532.
We now detect 1108 protocols, from icy, finger, and rtsp to ipfs,
basestation, and minecraft-pe. Highlights:
http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]

Integrated all 12 of your IPv6 OS fingerprint submissions from October to
January. The classifier added 3 new groups, including new and expanded groups
for OS X, bringing the new total to 96. Highlights:
http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]

[GH#272][GH#269] Give option parsing errors after the usage statement, or
avoid printing the usage statement in some cases. The options summary has
grown quite large, requiring users to scroll to the top to see the error
message. [Abhishek Singh]

[GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's
Slow Comprehensive Scan profile. In the case of unknown OpenSSL errors,
ERR_reason_error_string would return NULL, which could not be printed with
the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]

[GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to
not work in Zenmap on Windows.

Changed Nmap's idea of reserved and private IP addresses to include
169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in
libnetutil's isipprivate function, is used to filter -iR randomly generated
targets. The newly-valid address ranges belong to the U.S. Department of
Defense, so users wanting to avoid those ranges should use their own
exclusion lists with --exclude or --exclude-file. [Bill Parker, Daniel
Miller]

Allow the -4 option for Nmap to indicate IPv4 address family. This is the
default, and using the option doesn't change anything, but does make it more
explicit which address family you want to scan. Using -4 with -6 is an error.
[Daniel Miller]

[GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the
screen. This happens at the time of argument parsing, so the usual meaning of
"verbosity 0" is preserved. [isjing]

[NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and
SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the
draft specification from Mozilla. [Bertrand Bonnefoy-Claudet]

[NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection
against services that are not TLS encrypted by default but that support
post connection upgrade. This will enable more comprehensive detection
of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]

[NSE] Added support for DHCP options "TFTP server name" and "Bootfile name"
to dhcp.lua and enabled checking for options with a code above 61 by default.
[Mike Rykowski]

[NSE]whois-ip: Don't request a remote IANA assignments data file when the
local filesystem will not permit the file to cached in a local file. [jah]

[NSE] Updated http-php-version hash database to cover all versions from PHP
4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled
from Shodan API (https://www.shodan.io/) [Daniel Miller]

Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan
types, allowing periodic status updates with --stats-every or keypress
events. [Daniel Miller]

[GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for OS
X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have
properly select-able fds. Fix by OpenBSD port maintainer [David Carlier]

Print service info in grepable output for ports which are not listed in
nmap-services when a service tunnel (SSL) is detected. Previously, the
service info ("ssl|unknown") was not printed unless the service inside the
tunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260
[Daniel Miller]

Switch to using gtk-mac-bundler and jhbuild for building the OS X installer.
This promises to reduce a lot of the problems we've had with local paths and
dependencies using the py2app and macports build system. [Daniel Miller]

The Windows installer is now built with NSIS 2.47 which features LoadLibrary
security hardening to prevent DLL hijacking and other unsafe use of temporary
directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to
us and the many other projects that use it.

[Zenmap][GH#235] Fix several failures to launch Zenmap on OS X. The new
build process eliminates these errors:

IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in'
LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810.

[NSE][GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers to
match the one in nmap-service-probes, which was fixed previously to correct a
length calculation error. [Daniel Miller]

[NSE][GH#251] Correct false positives and unexpected behavior in http-*
scripts which used http.identify_404 to determine when a file was not found
on the target. The function was following redirects, which could be an
indication of a soft-404 response. [Tom Sellers]

[NSE][GH#241] Fix a false-positive in hnap-info when the target responds
with 200 OK to any request. [Tom Sellers]

[NSE][GH#244] Fix an error response in xmlrpc-methods when run against a
non-HTTP service. The expected behavior is no output. [Niklaus Schiess]

Integrated all of your IPv6 OS fingerprint submissions from April to October
(only 9 of them!). We are steadily improving the IPv6 database, but we need
your submissions. The classifier added 3 new groups, bringing the new total
to 93. Highlights: http://seclists.org/nmap-dev/2015/q4/61 [Daniel Miller]

Integrated all of your service/version detection fingerprints submitted from
February to October (800+ of them). The signature count went up 2.5% to
10293. We now detect 1089 protocols, from afp, bitcoin, and caldav to
xml-rpc, yiff, and zebra. Highlights: http://seclists.org/nmap-dev/2015/q4/62
[Daniel Miller]

[NSE] Added 10 NSE scripts from 5 authors, bringing the total up to 509!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below
(authors are listed in brackets):

[GH#51] Added IPv6 support to nmap_mass_rdns, improved reverse DNS cache,
and refactored DNS code to improve readability and
extensibility. All in all, this makes the rDNS portion of IPv6 scans
much faster. [Gioacchino Mazzurco]

[NSE][GH#122] Update the snmp-brute and other snmp-* scripts to use the
creds library to store brute-forced snmp community strings. This allows Nmap
to use the correct brute-forced string for each host. [Gioacchino Mazzurco]

Several improvements to TLS/SSL detection in nmap-service-probes. A new
probe, TLSSessionReq, and improvements to default SSL ports should help speed
up -sV scans. http://seclists.org/nmap-dev/2015/q2/17 [Daniel Miller]

[Nsock] Clean up the API so that nsp_* calls are now nsock_pool_* and nsi_*
are nsock_iod_*. Simplify Nsock SSL init API, and make logging global to the
library instead of associated with a nspool. [Henri Doreau]

[GH#181] The configure script now prints a summary of configured options.
Most importantly, it warns if OpenSSL was not found, since most users will
want this library compiled in. [Gioacchino Mazzurco]

Define TCP Options for SYN scan in nmap.h instead of literally throughout.
This string is used by p0f and other IDS to detect Nmap scans, so having it a
compile-time option is a step towards better evasion. [Daniel Miller]

[GH#51] Nmap's parallel reverse-DNS resolver now handles IPv6 addresses. This
should result in faster -6 scans. The old behavior is available with
--system-dns. [Gioacchino Mazzurco]

[NSE] Fix a couple odd bugs in NSE command-line parsing. Most notably,
--script broadcast-* will now work (generally, wildcards with scripts whose
name begins with a category name were not working properly). [Daniel Miller]

[NSE][GH#113]http-form-fuzzer will now stop increasing the size of a
request when an HTTP 413 or 414 error indicates the web server will not
accept a larger request. [Gioacchino Mazzurco]

[NSE][GH#159] Add the ability to tag credentials in the creds library with
freeform text for easy retrieval. This gives necessary granularity to track
credentials to multiple web apps on a single host+port. [Gioacchino Mazzurco]

Work around a bug which could cause Nmap to hang when running
multiple instances at once on Windows. The actual bug appears to be
in the WinPCAP driver in that it hanges when accessed via
OpenServiceA by multiple processes at once. So for now we have added
a mutex to prevent even multiple Nmap processes from making
concurrent calls to this part of WinPcap. We've received the reports
from multiple users on Windows 8.1 and Windows Server 2012 R2 and
this fix seems to resolve the hang for them. [Daniel Miller]

[GH#201] Fix Ndiff interpreter path problems in the OS X .dmg
installer which could prevent Ndiff (and the related Zenmap "compare
results" window) from working on OS X in some cases. [Daniel Miller]

Fix Nmap's DTD, which did not recognize that the script element
could contain character data when a script returns a number or a
boolean. [Jonathan Daugherty]

[GH#172][NSE] Fix reporting of DH parameter sizes by
ssl-enum-ciphers. The number shown was the length in bytes, not bits
as it should have been. Reported by Michael Staruch. [Brandon
Paulsen]

Our Windows Nmap packages are now compiled with the older platform
toolset (v120_xp rather than v120) and so they may work with Windows
XP again for the dwindling number of users still on that operating
system.

[GH#34] Disable TPACKET_V3 in our included libpcap. This version of
the Linux kernel packet ring API has problems that result in lots of
lost packets. This patch falls back to TPACKET_V2 or earlier
versions if available. [nnposter]

[NSE] Check for socket errors in iscsi.lua. This was causing the
iscsi-info script to crash against some services. [Daniel Miller]

Output a warning when deprecated options are used, and suggest the
preferred option. Currently deprecated: -i -o -m -sP -P0 -PN -oM
-sR. The warning is only visible with -v. [Daniel Miller]

Add a fatal error for options like -oG- which is interpreted as the
deprecated -o option, outputting to a file named "G-", instead of
the expected behavior of -oG - (Grepable output to stdout). [Daniel
Miller]

[GH#196] Fix raw packet sending on FreeBSD 10.0 and later. FreeBSD
changed byte order of the IPv4 stack, so SYN scan and other raw
packet functions were broken. [Edward Napierała] Also reported in
[GH#50] by Olli Hauer.

[GH#115][NSE]ssl-enum-ciphers will still produce output if OpenSSL
(required for certificate parsing) is not available. In cases where
handshake strength depends on the certificate, it will be reported
as "unknown". [jrchamp]

Fix a small memory leak for each target specified as a hostname which fails
to resolve. [Daniel Miller]

Allow 'make check' to succeed when Nmap is configured without OpenSSL
support. This was broken due to our NSE unittest library expecting to be able
to load every library without error. [Daniel Miller]

[NSE] Enable ssl-enum-ciphers to safely scan servers with a long handshake
intolerance issue which resulted in incomplete results when the handshake was
greater than 255 bytes. [Jacob Gajek, Daniel Miller]

[Ncat] Fix a write overrun in Ncat that could cause a segfault if the -g
(source route) option was given too many times. [Daniel Miller]

[NSE][GH#168] Allow ssl-enum-ciphers to run on non-typical ports when it is
selected by name. It will now send a service detection probe if the port is
not a typical SSL port and version scan (-sV) was not used. [Daniel Miller]

[GH#166] Fix Ncat listen mode on Solaris and other platforms where struct sockaddr
does not have a sa_len member. This also affected use of the -p and -s
options. Brandon Haberfeld reported the crash. [Daniel Miller]

[GH#164] Fix a Zenmap failure ot open on OS X with the error:
"dyld: Symbol not found: _iconv Referenced from: /usr/lib/libcups.2.dylib"
We had to remove the DYLD_LIBRARY_PATH environment variable from
zenmap_wrapper.py. Reported by Robert Strom. [Daniel Miller]

Integrated all of your service/version detection fingerprints submitted from
June 2013 to February 2015 (2500+ of them). The signature count soared over
the 10000 mark, a 12% increase. We now detect 1062 protocols, from http,
telnet, and ftp to jute, bgp, and slurm. Highlights:
http://seclists.org/nmap-dev/2015/q2/171 [Daniel Miller]

Integrated all of your IPv6 OS fingerprint submissions from June 2013 to
April 2015 (only 97 of them!). We are steadily improving the IPv6 database,
but we need your submissions. The classifier added 9 new groups, bringing the
new total to 90. Highlights: http://seclists.org/nmap-dev/2015/q2/170 [Daniel
Miller]

Nmap now has an official bug tracker! We are using Github Issues, which you
can reach from http://issues.nmap.org/. We welcome your bug reports,
enhancement requests, and code submissions via the Issues and Pull Request
features of Github (https://github.com/nmap/nmap), though the repository
itself is just a mirror of our authoritative Subversion repository.

--reason is enabled for verbosity > 2, and now includes the TTL of received
packets in Normal output (this was already present in XML) [Jay Bosamiya]

Fix ICMP Echo (-PE) host discovery for IPv6, broken since 6.45, caused by
failing to set the ICMP ID for outgoing packets which is used to match
incoming responses. [Andrew Waters]

Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
passing a NULL pointer to a WinPcap function that then tries to write an
error message to it. [Peter Malecka]

Enhance Nmap's tcpwrapped service detection by using a shorter timeout for
the tcpwrapped designation. This prevents falsely labeling services as
tcpwrapped which merely have a read timeout shorter than 6 seconds. Full
discussion: http://issues.nmap.org/39 [nnposter, Daniel Miller]

Update our Windows build system to VS 2013 on Windows 8.1. Also, we now build
our included OpenSSL with DEP, ASLR, and SafeSEH enabled. [Daniel Miller]

Our OS X installer is now built for a minimum supported version of 10.8
(Mountain Lion), a much-needed update from 10.5 (Leopard). Additionally,
OpenSSL is now statically linked, allowing us to distribute the latest from
Macports instead of being subjected to the 0.9.8 branch still in use as of
10.9. [Daniel Miller]

Add 2 more ASCII-art configure splash images to be rotated randomly with the
traditional dragon image. New ideas for other images to use here may be sent
to dev@nmap.org. [Jay Bosamiya, Daniel Miller]

Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
passing a NULL pointer to a WinPcap function that then tries to write an
error message to it. [Peter Malecka]

[NSE] Rework ssl-enum-ciphers to actually score the strength of the SSL/TLS
handshake, including certificate key size and DH parameters if applicable.
This is similar to Qualys's SSL Labs scanner, and means that we no longer
maintain a list of scores per ciphersuite. [Daniel Miller]

[NSE] Reduce many NSE default timeouts and base them on Nmap's detected
timeouts for those hosts from the port scan phase. Scripts which take timeout
script-args can now handle 's' and 'ms' suffixes, just like Nmap's own
options. [Daniel Miller]

Handle a bunch of socket errors that can result from odd ICMP Type 3
Destination Unreachable messages received during service scanning. The crash
reported was "Unexpected error in NSE_TYPE_READ callback. Error code: 92
(Protocol not available)" [Daniel Miller]

Fixed a crash (NULL pointer dereference) in PortList::isTCPwrapped when using
-sV and -O on an unknown service not listed in nmap-services. [Pierre Lalet]

Reduce CPU consumption when using nsock poll engine with no registered FD,
by actually calling Poll() for the time until timeout, instead of directly
returning zero and entering the loop again. [Henri Doreau]

[NSE] Added a check for Cisco ASA version disclosure, CVE-2014-3398, to
http-enum in the 'security' category [Daniel Miller]

Fixed a bug that caused Nmap to fail to find any network interface when a
Prism interface is in monitor mode. The fix was to define the
ARP_HRD_IEEE80211_PRISM header identifier in the libdnet-stripped code.
[Brad Johnson]

Added a version probe for Tor. [David Fifield]

[NSE] Add support to citrix-enum-apps-xml for reporting if Citrix
published applications in the list are enforcing/requiring the level
of ICA/session data encryption shown in the script result.
[Tom Sellers]

[NSE] Updated our Wordpress plugin list to improve the
http-wordpress-enum NSE script. We can now detect 34,077 plugins,
up from 18,570. [Danila Poyarkov]

[NSE] Add the signature algorithm that was used to sign the target port's
x509 certificate to the output of ssl-cert.nse [Tom Sellers]

[NSE] Fixed a bug in the sslcert.lua library that was triggered against
certain services when version detection was used. [Tom Sellers]

[NSE] If a version script is run by name, nmap.version_intensity() returns
the maximum value (9) for it [Jay Bosamiya]

[NSE] shortport.version_port_or_service() takes an optional rarity parameter
now to run only when version intensity > rarity [Jay Bosamiya]

[NSE] Added nmap.version_intensity() function so that NSE version scripts
can use the argument to --version-intensity (which can be overridden by the
script arg 'script-intensity') in order to decide whether to run or not
[Jay Bosamiya]

Improve OS detection; If a port is detected to be 'tcpwrapped', then it will
not be used for OS detection. This helps in cases where a firewall might be
the port to be 'tcpwrapped' [Jay Bosamiya]

Correct the Target MAC Address in Nmap's ARP discovery to conform to what IP
stacks in currently popular operating systems use. [Jay Bosamiya]

Fixed a bug which caused Nmap to be unable to have any runtime interaction
when called from sudo or from a shell script. [Jay Bosamiya]

Improvements to whois-ip.nse: fix an unhandled error when a referred-to
response could not be understood; add a new pattern to recognise a
LACNIC "record not found" type of response and update the way ARIN is
queried. [jah]

(Windows, RPMs) Upgraded the included OpenSSL to version 1.0.1i. [Daniel Miller]

(Windows) Upgraded the included Python to version 2.7.8. [Daniel Miller]

Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This
was added in 6.45, and resulted in trouble for Nmap XML parsers without
network access, as well as increased traffic to Nmap's servers. The doctype
is now:
<!DOCTYPE nmaprun>

[Ndiff] Fixed the installation process on Windows, which was missing the
actual Ndiff Python module since we separated it from the driver script.
[Daniel Miller]

[Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution,
which was giving the error, "\Microsoft was unexpected at this time." See
https://support.microsoft.com/kb/2524009 [Daniel Miller]

[Ncat] Fixed SOCKS5 username/password authentication. The password length was
being written in the wrong place, so authentication could not succeed.
Reported with patch by Pierluigi Vittori.

Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts
this to the string "(null)", but it caused segfault on Solaris. [Daniel Miller]

[Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package
installed. Python tries to be nice and loads it when we import xml, but it
isn't compatible. Instead, we force Python to use the standard library xml
module. [Daniel Miller]

[NSE] Made numerous improvements to ssl-heartbleed to provide
more reliable detection of the vulnerability.

[Zenmap] Fixed a bug which caused this crash message:

IOError: [Errno socket error] [Errno 10060] A connection attempt failed
because the connected party did not properly respond after a period of
time, or established connection failed because connected host has
failed to
respond

The bug was caused by us adding a DOCTYPE definition to Nmap's XML
output which caused Python's XML parser to try and fetch the DTD
every time it parses an XML file. We now override that DTD-fetching
behavior. [Daniel Miller]

Idle scan now supports IPv6. IPv6 packets don't usually come with
fragments identifiers like IPv4 packets do, so new techniques had to
be developed to make idle scan possible. The implementation is by
Mathias Morbitzer, who made it the subject of his master's thesis.

When doing a ping scan (-sn), the --open option will prevent down hosts from
being shown when -v is specified. This aligns with similar output for other
scan types. [Daniel Miller]

http-feed crawls a web site for Atom and RSS feeds. [George Chatzisofroniou]

http-iis-short-name-brute detects Microsoft IIS servers vulnerable to a
file/folder name disclosure and a denial of service vulnerability. The
script obtains the "shortnames" of the files and folders in the webroot
folder. [Paulino Calderon]

http-referer-checker finds JavaScript resources that are included from other
domains, increasing a website's attack surface. [George Chatzisofroniou]

http-server-header grabs the Server header as a last-ditch effort to get a
software version. This can't be done as a softmatch because of the need to
match non-HTTP services that obey some HTTP requests. [Daniel Miller]

http-useragent-tester checks for sites that redirect common Web spider
User-Agents to a different page than browsers get. [George Chatzisofroniou]

[NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and
other character sets to Unicode code points. Scripts that previously just
added or skipped nulls in UTF-16 data can use this to support non-ASCII
characters. [Daniel Miller]

[NSE] Enable http-enum to use the large Nikto fingerprint database at runtime
if provided by the user. For licensing reasons, we do not distribute this
database, but the integration effort has the blessing of the Nikto folks.
[George Chatzisofroniou]

Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on
FreeBSD >9 reported by idwer on IRC. Likely affected other *BSDs. Handled by
skipping these non-network addresses. [Daniel Miller]

Fixed a bug with UDP checksum calculation. When the UDP checksum is zero
(0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid
ambiguity with +0, which indicates no checksum was calculated. This affected
UDP on IPv4 only. Reported by Michael Weber. [Daniel Miller]

[NSE] Removed a fixed value (28428) which was being set for the Request ID in
the snmpWalk library function; a value based on nmap.clock_ms will now be set
instead. [jah]

The ICMP ID of ICMP probes is now matched against the sent ICMP ID,
to reduce the chance of false matches. Patch by Chris Johnson.

[NSE] Made the table returned by ssh1.fetch_host_key contain a "key"
element, like that of ssh2.fetch_host_key. This fixed a crash in the
ssh-hostkey script reported by Dan Farmer and Florian Pelgrim. The
"key" element of ssh2.fetch_host_key now is base64-encoded, to match
the format used by the known_hosts file. [David Fifield]

[Nsock] Handle timers and timeouts via a priority queue (using a heap)
for improved performance. Nsock now only iterates over events which are
completed or expired instead of inspecting the entire event set at each
iteration. [Henri Doreau]

[NSE] Update dns-cache-snoop script to use a new list of top 50
domains rather than a 2010 list. [Nicolle Neulist]

[Zenmap] Fixed a crash that would happen when you entered a search
term starting with a colon: "AttributeError:
'FilteredNetworkInventory' object has no attribute 'match_'".
Reported by Kris Paernell. [David Fifield]

[Ncat] Added --lua-exec. This feature is basically the equivalent of 'ncat
--sh-exec "lua <scriptname>"' and allows you to run Lua scripts with Ncat,
redirecting all stdin and stdout operations to the socket connection. See
https://nmap.org/book/ncat-man-command-options.html [Jacek Wielemborek]

Integrated all of your IPv4 OS fingerprint submissions since January
(1,300 of them). Added 91 fingerprints, bringing the new total to 4,118.
Additions include Linux 3.7, iOS 6.1, OpenBSD 5.3, AIX 7.1, and more.
Many existing fingerprints were improved. Highlights:
http://seclists.org/nmap-dev/2013/q2/518. [David Fifield]

Integrated all of your service/version detection fingerprints submitted
since January (737 of them)! Our signature count jumped by 273 to 8,979.
We still detect 897 protocols, from extremely popular ones like http, ssh,
smtp and imap to the more obscure airdroid, gopher-proxy, and
enemyterritory. Highlights:
http://seclists.org/nmap-dev/2013/q3/80. [David Fifield]

Integrated your latest IPv6 OS submissions and corrections. We're still
low on IPv6 fingerprints, so please scan any IPv6 systems you own or
administer and submit them to https://nmap.org/submit/. Both new
fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap
guesses wrong) are useful. [David Fifield]

[Nsock] Added initial proxy support to Nsock. Nmap version detection
and NSE can now establish TCP connections through chains of one or
more CONNECT or SOCKS4 proxies. Use the Nmap --proxies option with a
chain of one or more proxies as the argument (example:
http://localhost:8080,socks4://someproxy.example.com). Note that
only version detection and NSE are supported so far (no port
scanning or host discovery), and there are other limitations
described in the man page. [Henri Doreau]

[NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 446.
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):

http-stored-xss posts specially crafted strings to every form it
encounters and then searches through the website for those strings to
determine whether the payloads were successful. [George Chatzisofroniou]

ike-version obtains information (such as vendor and device type where
available) from an IKE service by sending four packets to the host.
This scripts tests with both Main and Aggressive Mode and sends multiple
transforms per request. [Jesper Kueckelhahn]

[NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. If
you ran the (fortunately non-default) http-domino-enum-passwords script
with the (fortunately also non-default) domino-enum-passwords.idpath
parameter against a malicious server, it could cause an arbitrarily named
file to to be written to the client system. Thanks to Trustwave researcher
Piotr Duszynski for discovering and reporting the problem. We've fixed
that script, and also updated several other scripts to use a new
stdnse.filename_escape function for extra safety. This breaks our record
of never having a vulnerability in the 16 years that Nmap has existed, but
that's still a fairly good run! [David, Fyodor]

Unicast CIDR-style IPv6 range scanning is now supported, so you can
specify targets such as en.wikipedia.org/120. Obviously it will take ages
if you specify a huge space. For example, a /64 contains
18,446,744,073,709,551,616 addresses. [David Fifield]

It's now possible to mix IPv4 range notation with CIDR netmasks in target
specifications. For example, 192.168-170.4-100,200.5/16 is effectively the
same as 192.168.168-170.0-255.0-255. [David Fifield]

Timeout script-args are now standardized to use the timespec that Nmap's
command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that
previously took an integer number of milliseconds will now treat that as a
number of seconds if not explicitly denoted as ms. [Daniel Miller]

Nmap may now partially rearrange its target list for more efficient
host groups. Previously, a single target with a different interface,
or with an IP address the same as a that of a target already in the
group, would cause the group to be broken off at whatever size it
was. Now, we buffer a small number of such targets, and keep looking
through the input for more targets to fill out the current group.
[David Fifield]

[Ncat] The -i option (idle timeout) now works in listen mode as well as
connect mode. [Tomas Hozza]

[Ncat] Ncat now support chained certificates with the --ssl-cert
option. [Greg Bailey]

[Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid
receiving crosstalk from other ping programs running at the same
time. [David Fifield]

[NSE] The ipOps.isPrivate library now considers the deprecated site-local
prefix fec0::/10 to be private. [Marek Majkowski]

Nmap's routing table is now sorted first by netmask, then by metric.
Previously it was the other way around, which could cause a very general
route with a low metric to be preferred over a specific route with a
higher metric.

Routes are now sorted to prefer those with a lower metric. Retrieval of
metrics is supported only on Linux and Windows. [David Fifield]

Handle ICMP type 11 (Time Exceeded) responses to port scan probes. Ports
will be reported as "filtered", to be consistent with existing Connect
scan results, and will have a reason of time-exceeded. DiabloHorn
reported this issue via IRC. [Daniel Miller]

Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and
changed output of some of the decoders slightly. [Patrik Karlsson]

The list of name servers on Windows now ignores those from inactive
interfaces. [David Fifield]

Namespace the pipes used to communicate with subprocesses by PID, to avoid
multiple instances of Ncat from interfering with each other. Patch by
Andrey Olkhin.

Fixed a bug that prevented Nmap from finding any interfaces when one of
them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk
interfaces. However, This support is not complete since AppleTalk
interfaces use different size hardware addresses than Ethernet. Nmap IP
level scans should work without any problem, please refer to the
'--send-ip' switch and to the following thread:
http://seclists.org/nmap-dev/2013/q1/214. This bug was reported by Steven
Gregory Johnson. [Daniel Miller]

[Nping] Nping on Windows now skips localhost targets for privileged pings
on (with an error message) because those generally don't work. [David
Fifield]

[Ncat] Ncat now keeps running in connect mode after receiving EOF from the
remote socket, unless --recv-only is in effect. [Tomas Hozza]

Packet trace of ICMP packets now include the ICMP ID and sequence number
by default. [David Fifield]

Added an ncat_assert macro. This is similar to assert(), but remains even
if NDEBUG is defined. Replaced all Ncat asserts with this. We also moved
operation with side effects outside of asserts as yet another layer of
bug-prevention [David Fifield].

Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML into
XSL-FO, which can be converted into PDF using tools suck as Apache FOP.

Increased the number of slack file descriptors not used during connect
scan. Previously, the calculation did not consider the descriptors used by
various open log files. Connect scans using a lot of sockets could fail
with the message "Socket creation in sendConnectScanProbe: Too many open
files". [David Fifield]

[NSE] The vulnerability library can now preserve vulnerability information
across multiple ports of the same host. The bug was reported by
iphelix. [Djalal Harouni]

Removed the undocumented -q option, which renamed the nmap process to
something like "pine".

Moved the Japanese man page from man1/jp to man1/ja. JP is a country code
while JA is a language code. Reported by Christian Neukirchen.

[Nsock] Reworked the logging infrastructure to make it more flexible and
consistent. Updated Nmap, Nping and Ncat accordingly. Nsock log level can
now be adjusted at runtime by pressing d/D in nmap. [Henri Doreau, David
Fifield]

Made some changes to Ndiff to reduce parsing time when dealing with large
Nmap XML output files. [Henri Doreau]

Clean up the source code a bit to resolve some false positive issues
identified by the Parfait static code analysis program. Oracle apparently
runs this on programs (including Nmap) that they ship with Solaris. See
http://seclists.org/nmap-dev/2012/q4/504. [David Fifield]

[Zenmap] Fixed a crash that could be caused by opening the About dialog,
using the window manager to close it, and opening it again. This was
reported by Yashartha Chaturvedi and Jordan Schroeder. [David Fifield]

[Ncat] Made test-addrset.sh exit with nonzero status if any tests
fail. This in turn causes "make check" to fail if any tests fail.
[Andreas Stieger]

Integrated all of your IPv4 OS fingerprint submissions since January
(more than 3,000 of them). Added 373 fingerprints, bringing the new
total to 3,946. Additions include Linux 3.6, Windows 8, Windows
Server 2012, Mac OS X 10.8, and a ton of new WAPs, printers,
routers, and other devices--including our first IP-enabled doorbell!
Many existing fingerprints were improved. [David Fifield]

Integrated all of your service/version detection fingerprints
submitted since January (more than 1,500)! Our signature
count jumped by more than 400 to 8,645. We now detect 897
protocols, from extremely popular ones like http, ssh, smtp and imap
to the more obscure airdroid, gopher-proxy, and
enemyterritory. [David Fifield]

Integrated your latest IPv6 OS submissions and corrections. We're
still low on IPv6 fingerprints, so please scan any IPv6 systems you
own or administer and submit them to https://nmap.org/submit/. Both
new fingerprints (if Nmap doesn't find a good match) and corrections
(if Nmap guesses wrong) are useful.

Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto
(Next Header) probes. Previously, only TCP and ICMP were
supported. [David Fifield]

Scripts can now return a structured name-value table so that results
are query-able from XML output. Scripts can return a string as
before, or a table, or a table and a string. In this last case, the
table will go to XML output and the string will go to screen output.
See https://nmap.org/book/nse-api.html#nse-structured-output [Daniel
Miller, David Fifield, Patrick Donnelly]

[Nsock] Added new poll and kqueue I/O engines for improved
performance on Windows and BSD-based systems including Mac OS X.
These are in addition to the epoll engine (used on Linux) and the
classic select engine fallback for other system. [Henri Doreau]

[Ncat] Added support for Unix domain sockets. The new -U and
--unixsock options activate this mode. These provide compatibility
with Hobbit's original Netcat. [Tomas Hozza]

Moved some Windows dependencies, including OpenSSL, libsvn, and the
vcredist files, into a new public Subversion directory
/nmap-mswin32-aux and moved it out of the source tarball. This
reduces the compressed tarball size from 22 MB to 8 MB and similarly
reduces the bandwidth and storage required for an svn checkout.
Folks who build Nmap on Windows will need to check out
/nmap-mswin32-aux along with /nmap as described at
https://nmap.org/book/inst-windows.html#inst-win-source.

[NSE] Replaced old RPC grinder (RPC enumeration, performed as part
of version detection when a port seems to run a SunRPC service) with
a faster and easier to maintain NSE-based implementation. This also
allowed us to remove the crufty old pos_scan scan engine. [Hani
Benhabiles]

[NSE] Added 85(!) NSE scripts, bringing the total up to 433. They
are all listed at https://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):

ajp-auth retrieves the authentication scheme and realm of an AJP
service (Apache JServ Protocol) that requires authentication. The
Apache JServ Protocol is commonly used by web servers to
communicate with back-end Java application server
containers. [Patrik Karlsson]

ajp-request requests a URI over the Apache JServ Protocol and
displays the result (or stores it in a file). Different AJP
methods such as; GET, HEAD, TRACE, PUT or DELETE may be
used. [Patrik Karlsson]

bjnp-discover retrieves printer or scanner information from a
remote device supporting the BJNP protocol. The protocol is known
to be supported by network based Canon devices. [Patrik Karlsson]

broadcast-ataoe-discover discovers servers supporting the ATA over
Ethernet protocol. ATA over Ethernet is an ethernet protocol
developed by the Brantley Coile Company and allows for simple,
high-performance access to SATA drives over Ethernet. [Patrik
Karlsson]

broadcast-bjnp-discover attempts to discover Canon devices
(Printers/Scanners) supporting the BJNP protocol by sending BJNP
Discover requests to the network broadcast address for both ports
associated with the protocol. [Patrik Karlsson]

broadcast-tellstick-discover discovers Telldus Technologies
TellStickNet devices on the LAN. The Telldus TellStick is used to
wirelessly control electric devices such as lights, dimmers and
electric outlets. [Patrik Karlsson]

dns-check-zone checks DNS zone configuration against best
practices, including RFC 1912. The configuration checks are
divided into categories which each have a number of different
tests. [Patrik Karlsson]

dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6
network using a technique which analyzes DNS server response codes
to dramatically reduce the number of queries needed to enumerate
large networks. [Patrik Karlsson]

eppc-enum-processes attempts to enumerate process info over the
Apple Remote Event protocol. When accessing an application over
the Apple Remote Event protocol the service responds with the uid
and pid of the application, if it is running, prior to requesting
authentication. [Patrik Karlsson]

firewall-bypass detects a vulnerability in Netfilter and other
firewalls that use helpers to dynamically open ports for protocols
such as ftp and sip. [Hani Benhabiles]

http-drupal-enum-users enumerates Drupal users by exploiting a an
information disclosure vulnerability in Views, Drupal's most
popular module. [Hani Benhabiles]

http-drupal-modules enumerates the installed Drupal modules by
using a list of known modules. [Hani Benhabiles]

http-exif-spider spiders a site's images looking for interesting
exif data embedded in .jpg files. Displays the make and model of
the camera, the date the photo was taken, and the embedded geotag
information. [Ron Bowes]

http-form-fuzzer performs a simple form fuzzing against forms
found on websites. Tries strings and numbers of increasing length
and attempts to determine if the fuzzing was successful. [Piotr
Olma]

http-git checks for a Git repository found in a website's document
root (/.git/<something>) then retrieves as much repo
information as possible, including language/framework, Github
username, last commit message, and repository description. [Alex
Weber]

http-gitweb-projects-enum retrieves a list of Git projects, owners
and descriptions from a gitweb (web interface to the Git revision
control system). [riemann]

http-sitemap-generator spiders a web server and displays its
directory structure along with number and types of files in each
folder. Note that files listed as having an 'Other' extension are
ones that have no extension or that are a root document. [Piotr
Olma]

http-slowloris-check tests a web server for vulnerability to the
Slowloris DoS attack without actually launching a DoS
attack. [Aleksandar Nikolic]

http-tplink-dir-traversal exploits a directory traversal
vulnerability existing in several TP-Link wireless
routers. Attackers may exploit this vulnerability to read any of
the configuration and password files remotely and without
authentication. [Paulino Calderon]

http-virustotal checks whether a file has been determined as
malware by virustotal. Virustotal is a service that provides the
capability to scan a file or check a checksum against a number of
the major antivirus vendors. [Patrik Karlsson]

http-vlcstreamer-ls connects to a VLC Streamer helper service and
lists directory contents. The VLC Streamer helper service is used
by the iOS VLC Streamer application to enable streaming of
multimedia content from the remote server to the device. [Patrik
Karlsson]

http-waf-fingerprint Tries to detect the presence of a web
application firewall and its type and version. [Hani Benhabiles]

icap-info tests a list of known ICAP service names and prints
information about any it detects. The Internet Content Adaptation
Protocol (ICAP) is used to extend transparent proxy servers and is
generally used for content filtering and antivirus
scanning. [Patrik Karlsson]

ip-forwarding detects whether the remote device has ip forwarding
or "Internet connection sharing" enabled, by sending an ICMP echo
request to a given target using the scanned host as default
gateway. [Patrik Karlsson]

ipv6-ra-flood generates a flood of Router Advertisements (RA) with
random source MAC addresses and IPv6 prefixes. Computers, which
have stateless autoconfiguration enabled by default (every major
OS), will start to compute IPv6 suffix and update their routing
table to reflect the accepted announcement. This will cause 100%
CPU usage on Windows and platforms, preventing to process other
application requests. [Adam Stevko]

isns-info lists portals and iSCSI nodes registered with the
Internet Storage Name Service (iSNS). [Patrik Karlsson]

jdwp-exec attempts to exploit java's remote debugging port. When
remote debugging port is left open, it is possible to inject java
bytecode and achieve remote code execution. This script abuses
this to inject and execute a Java class file that executes the
supplied shell command and returns its output. [Aleksandar
Nikolic]

jdwp-info attempts to exploit java's remote debugging port. When
remote debugging port is left open, it is possible to inject java
bytecode and achieve remote code execution. This script injects
and execute a Java class file that returns remote system
information. [Aleksandar Nikolic]

metasploit-info gathers info from the Metasploit RPC service. It
requires a valid login pair. After authentication it tries to
determine Metasploit version and deduce the OS type. Then it
creates a new console and executes few commands to get additional
info. [Aleksandar Nikolic]

mmouse-exec connects to an RPA Tech Mobile Mouse server, starts an
application and sends a sequence of keys to it. Any application
that the user has access to can be started and the key sequence is
sent to the application after it has been started. [Patrik
Karlsson]

msrpc-enum queries an MSRPC endpoint mapper for a list of mapped
services and displays the gathered information. [Aleksandar
Nikolic]

ms-sql-dac queries the Microsoft SQL Browser service for the DAC
(Dedicated Admin Connection) port of a given (or all) SQL Server
instance. The DAC port is used to connect to the database instance
when normal connection attempts fail, for example, when server is
hanging, out of memory or in other bad states. [Patrik Karlsson]

mtrace queries for the multicast path from a source to a
destination host. [Hani Benhabiles]

mysql-dump-hashes dumps the password hashes from an MySQL server
in a format suitable for cracking by tools such as John the
Ripper. Appropriate DB privileges (root) are required. [Patrik
Karlsson]

mysql-query runs a query against a MySQL database and returns the
results as a table. [Patrik Karlsson]

mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQL
and MariaDB servers by exploiting CVE2012-2122. If its vulnerable,
it will also attempt to dump the MySQL usernames and password
hashes. [Paulino Calderon]

Added Common Platform Enumeration (CPE) identifiers to nearly 1,000
more OS detection signatures. Nmap 6.01 had them for 2,608 of 3,572
fingerprints (73%) and now we have them for 3,558 out of 3,946
(90%). [David Fifield]

Scans that use OS sockets (including TCP connect scan, version
detection, and script scan) now use the SO_BINDTODEVICE sockopt on
Linux, so that the -e (select network device) option is
honored. [David Fifield]

[Zenmap] Host filters can now do negative matching, for example you
can use "os:!linux" to match hosts NOT detected as Linux. [Daniel
Miller]

Fixed a bug that caused an incorrect source address to be set when
scanning certain addresses (apparently those ending in .0) on
Windows XP. The symptom of this bug was the messages

Tested that our WinPcap installer works on Windows 8 and Windows
Server 2012 build 8400. Updated to installer text to recommend that
users select the option to start 'NPF' at startup. [Rob Nicholls]

Changed libdnet's routing interface to return an interface name for
each route on the most common operating systems. This is used to
improve the quality of Nmap's matching of routes to interfaces,
which was previously done by matching routes to interface addresses.
[Djalal Harouni, David Fifield]

Fixed a bug that prevented Nmap from finding any interfaces when one
of them had the type ARPHDR_INFINIBAND; this was the case for
IP-over-InfiniBand interfaces. However, This support is not complete
since IPoIB interfaces use 20 bytes for the hardware address, and
currently we only report and handle 6 bytes.
Nmap IP level scans should work without any problem, please refer to
the '--send-ip' switch and to the following thread:
http://seclists.org/nmap-dev/2012/q3/642
This bug was reported by starlight.2012q3. [Djalal Harouni]

Fixed a bug that prevented Nmap from finding any interfaces when one
of them had the type ARPHDR_IEEE80211; this was the case for wireless
interfaces operating in access point mode. This bug was reported by
Sebastiaan Vileijn. [Djalal Harouni]

Added a new --disable-arp-ping option. This option prevents Nmap
from implicitly using ARP or ND host discovery for discovering
directly connected Ethernet targets. This is useful in networks
using proxy ARP, which make all addresses appear to be up using ARP
scan. The previously recommended workaround for this situation,
--send-ip, didn't work on Windows because that lame excuse for an
operating system is still missing raw socket support. [David
Fifield (editorializing added by Fyodor)]

Protocol scan (-sO) probes for TCP, UDP, and SCTP now go to ports
80, 40125, and 80 respectively, instead of being randomly generated
or going to the same port as the source port. [David Fifield]

The Nmap --log-errors functionality (including errors and warnings
in the normal-format output file) is now always true, whether you
pass that option or not. [Sean Rivera]

Reduced the size of Port structures by about two thirds (from 176 to
64 bytes on x86_64). They had accidentally grown during the IPv6
code merge. [David Fifield]

Made source port numbers (used to encode probe metadata) increment
so as not to overlap between different scanning phases. Previously
it was possible for an RST response to an ACK probe from host
discovery to be misinterpreted as a reply to a SYN probe from port
scanning. [Sean Rivera, David Fifield]

Added version detection signatures for half a dozen new or changed
products. [Tom Sellers]

Fixed protocol number-to-name mapping. A patch was contributed by
hejianet.

[NSE] The nmap.ip_send function now takes a second argument, the
destination to send to. Previously the destination address was taken
from the packet buffer, but this failed for IPv6 link-local
addresses, because the scope ID is not part of the packet. Calling
ip_send without a destination address will continue to use the old
behavior, but this practice is deprecated.

Increased portability of configure scripts on systems using a libc
other than Glibc. Several problems were reported by John Spencer.

[NSE] Fixed a bug in rpc-grind.nse that would cause unresponsive UDP
ports to be wrongly marked open. This was reported by Christopher
Clements. [David Fifield]

[NSE] Fixed some bugs in snmp-interfaces which prevented the script from
outputting discovered interface info and caused it to abort in the
pre-scanning phase. [jah]

[NSE] Do a connect on rpc-grind (rpc.lua) UDP sockets so that socket_lock
is invoked. This is necessary to avoid "Too many open files" errors if
RPC grind creates an excessive number of sockets. We should have a
cleaner general solution for this, and not require scripts to "connect"
their unconnected UDP sockets. But there may be a good reason for
enforcing socket locking only on connect, not on creation. [David Fifield]

[NSE] Modified multiple scripts that operated against HTTP based services
so as to remove false positives that were generated when the target service
answers with a 200 response to all requests. [Tom Sellers]

[NSOCK] Fixed an epoll-engine-specific bug. The engine didn't recognized FDs
that were internally closed and replaced by other ones. This happened during
reconnect attempts. Also, the IOD flags were not properly cleared.
[Henri Doreau, Daniel Miller]

Added support for log type bitmasks in log_vwrite(). Also replaced a fatal()
statement by an assert(0) to get rid of a possible infinite call loop when
passed an invalid log type. [Henri Doreau]

Added handling for the unexpected error WSAENETRESET (10052). This error is
currently wrapped in the ifdef for WIN32 as there error appears to be unique
to windows [Sean Rivera]

Improved the mysql library to handle multiple columns with the same name,
added a formatResultset function to format a query response to a table
suitable for script output. [Patrik Karlsson]

The message "nexthost: failed to determine route to ..." is now a
warning rather than a fatal error. Addresses that are skipped in
this way are recorded in the XML output as "target" elements. [David
Fifield]

[NSE]targets-sniffer now is capable of sniffing IPv6 addresses.
[Daniel Miller]

[Zenmap] Fixed a hang that would occur on Mac OS X 10.7. A symptom
of the hang was this message in the system console:
"Couldn't recognize the image file format for file
'/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'".
[David Fifield]

Fixed an error that occurred when scanning certain addresses like
192.168.0.0 on Windows XP:

get_srcaddr: can't connect socket: The requested address is not valid in its context.
nexthost: failed to determine route to 10.80.0.0

[David Fifield]

Fixed a bug that caused Nmap to fail to find any network interface when
at least one of them is in the monitor mode. The fix was to define the
ARP_HRD_IEEE80211_RADIOTAP 802.11 radiotap header identifier in the
libdnet-stripped code. Network interfaces that are in this mode are used
by radiotap for 802.11 frame injection and reception. The bug was
reported by Tom Eichstaedt and Henri Doreau.
http://seclists.org/nmap-dev/2012/q2/449http://seclists.org/nmap-dev/2012/q2/478
[Djalal Harouni, Henri Doreau]

Fixed the greppable output of hosts that time-out (when --host-timeout was
used and the host timed-out after something was received from that host).
This issue was reported by Matthew Morgan. [jah]

[Zenmap] Updated the version of Python used to build the Windows
release from 2.7.1 to 2.7.3 to remove a false-positive security
alarm flagged by tools such as Secunia PSI. There was a minor
vulnerability in certain Python27.dll web functionality (which Nmap
doesn't use anyway) and Secunia was flagging all software which
includes that version of Python27.dll. This update should prevent
the false alarm.

[NSE] Added new script http-chrono, which measures min, max and average
response times of web servers. [Ange Gutek]

Applied a workaround to make pcap captures work better on Solaris
10. This involves peeking at the pcap buffer to ensure that captures
are not being lost. A symptom of the previous behavior was that,
when doing ARP host discovery against two targets, only one would be
reported as up. [David Fifield]

Fixed a bug that could cause Nsock timers to fire too early. This
could happen for the timed probes in IPv6 OS detection, causing an
incorrect measurement of the TCP_ISR feature. [David Fifield]

[Zenmap] We now build on Windows with a newer version of PyGTK, so
copy and paste should work again.

Changed the way timeout calculations are made in the IPv6 OS engine.
In rare cases a certain interleaving of probes and responses would
result in an assertion failure.

Integrated all of your IPv4 OS fingerprint submissions since June
2011 (about 1,900 of them). Added about 256 new fingerprints (and
deleted some bogus ones), bringing the new total to 3,572.
Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0
through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other
devices. Many existing fingerprints were improved. For more details,
see http://seclists.org/nmap-dev/2012/q1/431 [David Fifield]

Integrated all of your service/version detection fingerprints
submitted since November 2010--more than 2,500 of them! Our
signature count increased more than 10% to 7,423 covering 862
protocols. Some amusing and bizarre new services are described at
http://seclists.org/nmap-dev/2012/q1/359 [David Fifield]

Integrated your latest IPv6 OS submissions and corrections. We're
still low on IPv6 fingerprints, so please scan any IPv6 systems you
own or administer and submit them to https://nmap.org/submit/. Both
new fingerprints (if Nmap doesn't find a good match) and corrections
(if Nmap guesses wrong) are useful.

[NSE] Added a host-based registry which only persists (for the given
host) until all scripts have finished scanning that host. The normal
registry saves information until it is deleted or the Nmap scan
ends. That is a waste of memory for information which doesn't need
to persist that long. Use the host based registry instead if you
can. See https://nmap.org/book/nse-api.html#nse-api-registry. [Patrik
Karlsson]

IPv6 OS detection now includes a novelty detection system which
avoids printing a match when an observed fingerprint is too
different from fingerprints seen before. As the OS database is still
small, this helps to avoid making (essentially) wild guesses when
seeing a new operating system. [David Fifield]

Refactored the nsock library to add the nsock-engines system. This
allows system-specific scalable IO notification facilities to be
used while maintaining the portable Nsock API. This initial version
comes with an epoll-based engine for Linux and a select-based
fallback engine for all other operating systems. Also added the
--nsock-engine option to Nmap, Nping and Ncat to enforce use of a
specific Nsock IO engine. [Henri Doreau]

[NSE] Added 43(!) NSE scripts, bringing the total up to 340. They
are all listed at https://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):

asn-to-prefix produces a list of IP prefixes for a given AS number
(ASN). It uses the external Shadowserver API (with their
permission). [John Bond]

broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to the
DHCPv6 multicast address, parses the response, then extracts and
prints the address along with any options returned by the
server. [Patrik Karlsson]

broadcast-ripng-discover discovers hosts and routing information
from devices running RIPng on the LAN by sending a RIPng Request
command and collecting the responses from all responsive
devices. [Patrik Karlsson]

dns-client-subnet-scan performs a domain lookup using the
edns-client-subnet option that adds support for adding subnet
information to the query describing where the query is
originating. The script uses this option to supply a number of
geographically distributed locations in an attempt to enumerate as
many different address records as possible. [John Bond]

dns-nsid retrieves information from a DNS nameserver by requesting
its nameserver ID (nsid) and asking for its id.server and
version.bind values. [John Bond]

dns-srv-enum enumerates various common service (SRV) records for a
given domain name. The service records contain the hostname, port
and priority of servers for a given service. [Patrik Karlsson]

eap-info enumerates the authentication methods offered by an EAP
authenticator for a given identity or for the anonymous identity
if no argument is passed. [Riccardo Cecolin]

http-vuln-cve2010-2861 executes a directory traversal attack
against a ColdFusion server and tries to grab the password hash
for the administrator user. It then uses the salt value (hidden in
the web page) to create the SHA1 HMAC hash that the web server
needs for authentication as admin. [Micah Hoffman]

[NSE] Added 14 new protocol libraries! They were all written by
Patrik Karlsson, except for the EAP library by Riccardo Cecolin:

dhcp6 (Dynamic Host Configuration Protocol for IPv6)

eap (Extensible Authentication Protocol)

iax2 (Inter-Asterisk eXchange v2 VoIP protocol)

membase (Couchbase Membase TAP protocol)

natpmp (NAT Port Mapping Protocol)

ndmp (Network Data Management Protocol)

pppoe (Point-to-point protocol over Ethernet)

redis (in-memory key-value data store)

rpcap (WinPcap Remote Capture Deamon)

rsync (remote file sync)

socks (SOCKS 5 proxy protocol)

sslcert (for collecting SSL certificates and storing them in the
host-based registry)

versant (an object database)

xdmcp (X Display Manager Control Protocol)

CPE (Common Platform Enumeration) OS classification is now supported
for IPv6 OS detection. Previously it was only available for
IPv4. [David Fifield]

[NSE] The host.os table is now a structured array of table that
include OS class information and CPE. See
https://nmap.org/book/nse-api.html for documentation of the new
structure. [Henri Doreau, David]

[NSE] Service matches can now access CPE through the
port.version.cpe array. [Henri Doreau]

Added a new --script-args-file option which allows you to specify
the name of a file containing all of your desired NSE script
arguments. The arguments may be separated with commas or newlines
and may be overridden by arguments specified on the command-line
with --script-args. [Daniel Miller]

Audited the nmap-service-probes database to remove all unused
captures, fixing dozens of bugs with captures either being ignored
or two fields erroneously using the same capture. [Lauri Kokkonen,
David Fifield, and Rob Nicholls]

Added new version detection probes and match lines for:

Erlang Port Mapper Daemon

Couchbase Membase NoSQL database

Basho Riak distributed database protocol buffers client (PBC)

Tarantool in-memory data store

[Patrik Karlsson]

Split the nmap-update client into its own binary RPM to avoid the
Nmap RPM having a dependency on the Subversion and APR libraries.
We're not yet distributing this binary nmap-update RPM since the
system isn't complete, but the source code is available in the Nmap
tarball and source RPM. [David]

[NSE] Added authentication support to the MongoDB library and
modified existing scripts to support it. [Patrik Karlsson]

Fixed an error where very long messages could cause an
assertion failure: "log_vwrite: vsnprintf failed. Even after
increasing bufferlen to ---, Vsnprintf returned -1 (logt == 1)."
This was reported by David Hingos.

Fixed an assertion failure that was printed when a fatal error
occurred while an XML tag was incomplete: "!xml.tag_open, file
..\xml.cc, line 401". This was reported by David Hingos. [David
Fifield]

[NSE] Added redirect support to the http library. All calls to
http.get and http.head now transparently handle any HTTP
redirects. The number and destination of redirects are limited by
default to avoid endless loops or unwanted follows of redirects to
different servers, but they can be configured. [Patrik Karlsson]

[NSE] Modified the sql-injection script to use the httpspider library.
[Lauri Kokkonen]

Added --with-apr and --with-subversion configuration options to
support systems where those libraries aren't in the usual places.
[David Fifield]

[NSE] Fixed a bunch of global access errors in various libraries reported by
the nse_check_globals script. [Patrik Karlsson]

Fixed an assertion failure which could occur when connecting to an
SSL server:
nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.
Thanks to Ron for reporting the bug and testing. [Henri Doreau]

[NSE] Added support to the DNS library for the CHAOS class and NSID
requests. [John Bond]

[NSE] Changed the dnsbl library to take a much faster threaded
approach to querying DNS blacklists. [Patrik Karlsson]

[NSE] Added new services and the ATTACK category to the dnsbl
script. [Duarte Silva]

[NSE] Fixed a memory leak in PortList::setServiceProbeResults()
which was noticed and reported by David Fifield. The leak was
triggered by set_port_version calls from NSE. [Henri Doreau]

[NSE] Fixed a race condition in broadcast-dhcp-discover.nse that
could cause responses to be missed on fast networks. It was noticed
by Vasiliy Kulikov. [David Fifield]

Fixed a bug in reverse name resolution: a name of "." would leave
the hostname unintialized and cause "Illegal character(s) in
hostname" warnings. [Gisle Vanem]

Allow overriding the AR variable to use a different version of the
ar library creation tool when creating the liblinear library. [Nuno
Gonçalves]

Added vcredist2008_x86.exe to the Windows zip file. This installer
from MS must be run on new Windows 2008 systems (those which don't
already have it) before running Nmap. The Nmap Windows installer
already takes care of this. [David Fifield]

Our Mac OS X packages are now x86-only (rather than universal),
reducing the download size from 30 MB to about 17. If you still
need a PowerPC version (Apple stopped selling those machines in
2006), you can use Nmap 5.51 or 5.61TEST2 from
https://nmap.org/dist/?C=M&O=D.

We set up a new SVN server for the Nmap codebase. This one uses SSL
for better security, WebDAV rather than svnserve for greater
functionality, is hosted on a faster (virtual) machine, provides
Nmap code history back to 1998 rather than 2005, and removes the
need for the special "guest" username. The new server is at
https://svn.nmap.org. More information:
http://seclists.org/nmap-dev/2011/q4/504.

[NSE] Added a vulnerability management library (vulns.lua) to store and to
report discovered vulnerabilities. Modified these scripts to use
the new library:

broadcast-rip-discover discovers hosts and routing information
from devices running RIPv2 on the LAN. It does so by sending a
RIPv2 Request command and collects the responses from all devices
responding to the request. [Patrik Karlsson]

http-apache-negotiation checks if the target http server has
mod_negotiation enabled. This feature can be leveraged to find
hidden resources and spider a web site using fewer requests. [Hani
Benhabiles]

http-backup-finder Spiders a website and attempts to identify
backup copies of discovered files. It does so by requesting a
number of different combinations of the filename (e.g. index.bak,
index.html~, copy of index.html). [Patrik Karlsson]

http-cors tests an http server for Cross-Origin Resource Sharing
(CORS), a way for domains to explicitly opt in to having certain
methods invoked by another domain. [Toni Ruottu]

http-open-redirect spiders a website and attempts to identify open
redirects. Open redirects are handlers which commonly take a URL
as a parameter and responds with a http redirect (3XX) to the
target. [Martin Holst Swende]

http-put uploads a local file to a remote web server using the
HTTP PUT method. You must specify the filename and URL path with
NSE arguments. [Patrik Karlsson]

ms-sql-dump-hashes Dumps the password hashes from an MS-SQL server
in a format suitable for cracking by tools such as
John-the-ripper. In order to do so the user needs to have the
appropriate DB privileges. [Patrik Karlsson]

rtsp-methods determines which methods are supported by the RTSP
(real time streaming protocol) server. [Patrik Karlsson]

rtsp-url-brute attempts to enumerate RTSP media URLS by testing
for common paths on devices such as surveillance IP
cameras. [Patrik Karlsson]

telnet-encryption determines whether the encryption option is
supported on a remote telnet server. Some systems (including
FreeBSD and the krb5 telnetd available in many Linux
distributions) implement this option incorrectly, leading to a
remote root vulnerability. [Patrik Karlsson, David Fifield,
Fyodor]

unusual-port compares the detected service on a port against the
expected service for that port number (e.g. ssh on 22, http on 80)
and reports deviations. An early version of this same idea was
written by Daniel Miller. [Patrik Karlsson]

vuze-dht-info retrieves some basic information, including protocol
version from a Vuze filesharing node. [Patrik Karlsson]

[NSE] Added some new protocol libraries

amqp (advanced message queuing protocol) [Sebastian Dragomir]

bitcoin crypto currency [Patrik Karlsson

dnsbl for DNS-based blacklists [Patrik Karlsson

rtsp (real time streaming protocol) [Patrik Karlsson]

httpspider and vulns have separate entries in this CHANGELOG

Nmap now includes a nmap-update program for obtaining the latest
updates (new scripts, OS fingerprints, etc.) The system is
currently only available to a few developers for testing, but we
hope to enable a larger set of beta testers soon. [David]

On Windows, the directory [HOME]\AppData\Roaming\nmap is now
searched for data files. This is the equivalent of $HOME/.nmap on
POSIX. [David]

Improved OS detection performance by scaling congestion control
increments by the response rate during OS scan, just as was done
for port scan before. [David]

[NSE] The targets-ipv6-multicast-*.nse scripts now scan all
interfaces by default. They show the MAC address and interface name
now too. [David, Daniel Miller]

Added some new version detection probes:

MongoDB service [Martin Holst Swende]

Metasploit XMLRPC service [Vlatko Kosturjak]

Vuze filesharing system [Patrik]

Redis key-value store [Patrik]

memcached [Patrik]

Sybase SQL Anywhere [Patrik]

VMware ESX Server [Aleksey Tyurin]

TCP Kerberos [Patrik]

PC-Duo [Patrik]

PC Anywhere [Patrik]

Targets requiring different source addresses now go into different
hostgroups, not only for host discovery but also for port scanning.
Before, only responses to one of the source addresses would be
processed, and the others would be ignored. [David]

Tidied up the version detection DB (nmap-service-probes) with a new
cleanup/canonicalization program sv-tidy. In particular, this:

Removes excess whitespace

Sorts templates in the order m p v i d o h cpe:

Canonicalizes template delimiters in the order: / | % = @ #.

[David]

The --exclude and --excludefile options for excluding targets can
now be used together. [David]

[NSE] Added support for detecting whether a http connection was established
using SSL or not to the http.lua library [Patrik]

[NSE] Added local port to BPF filter in snmp-brute to fix bug that would
prevent multiple scripts from receiving the correct responses. The bug was
discovered by Brendan Bird. [Patrik]

[NSE] Changed the dhcp-discover script to use the DHCPINFORM request
to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code
from dhcp-discover and placed the script into the discovery and safe
categories. Added support for adding options to DHCP requests and
cleaned up some code in the dhcp library. [Patrik]

[NSE] Applied patch to snmp-brute that solves problems with handling
errors that occur during community list file parsing. [Duarte
Silva]

[Nping] The --safe-payloads option is now the default. Added
--include-payloads for the special situations where payloads are
needed. [Colin Rice]

[NSE] Added new functionality and fixed some bugs in the brute library:

Added support for restricting the number of guesses performed by the
brute library against users, to prevent account lockouts.

Added support to guess the username as password. The documentation
previously suggested (wrongly) that this was the default behavior.

Added support to guess an empty string as password if not
present in the dictionary. [Patrik]

[NSE] Re-enabled support for guessing the username in addition to password
that was incorrectly removed from the metasploit-xmlrpc-brute in previous
commit. [Patrik]

[NSE] Fixed bug that would prevent brute scripts from running if no service
field was present in the port table. [Patrik]

[NSE] Turned on promiscuous mode in targets-sniffer.nse so that it
finds packets not only from or to the scanning host. [David]

The Zenmap topology display feature is now disabled when there are
more than 1,000 target hosts. Those topology maps slow down the
interface and are generally too crowded to be of much use.

[NSE] Modified the http library to support servers that don't return valid
chunked encoded data, such as the Citrix XML service. [Patrik]

[NSE] Fixed a bug where the brute library would not abort even after all
retries were exhausted [Patrik]

Fixed a bug in the IPv6 OS probe called NI. The Node Information
Query didn't include the target address as the payload, so at least
OS X didn't respond. This differed from the probe sent by the
ipv6fp.py program from which some of our fingerprints were derived.
[David]

[NSE] Fixed an error in the mssql library that was causing the
broadcast-ms-sql-discover script to fail when trying to update port version
information. [Patrik]

[NSE] Made http-wordpress-enum.nse able to get names of users who
have no posts. [Duarte Silva]

Increased hop distance estimates from OS detection by one. The
distance now counts the number of hops including the final one to
the target, not just the number of intermediate nodes. The IPv6
distance calculation already worked this way. [David]

Added IPv6 OS detection system! The new system utilizes many tests
similar to IPv4, and also some IPv6-specific ones that we found to
be particularly effective. And it uses a machine learning approach
rather than the static classifier we use for IPv4. We hope to move
some of the IPv6 innovations back to our IPv4 system if they work
out well. The database is still very small, so please submit any
fingerprints that Nmap gives you to the specified URL (as long as
you are certain that you know what the target system is
running). Usage and results output are basically the same as with
IPv4, but we will soon document the internal mechanisms at
https://nmap.org/book/osdetect.html, just as we have for IPv4. For an
example, try "nmap -6 -O scanme.nmap.org". [David, Luis]

[NSE] Added 3 scripts, bringing the total to 246! You can learn
more about them at https://nmap.org/nsedoc/. Here they are (authors
listed in brackets):

lltd-discovery uses the Microsoft LLTD protocol to discover hosts
on a local network. [Gorjan Petrovski]

quake3-info extracts information from a Quake3-like game
server. [Toni Ruottu]

Improved AIX support for raw scans. This includes some patches
originally written by Peter O'Gorman and Florian Schmid. It also
involved various build fixes found necessary on AIX 6.1 and 7.1. See
https://nmap.org/book/inst-other-platforms.html . [David]

Fixed Nmap so that it again compiles and runs on Solaris 10,
including IPv6 support. [David]

[NSE] Moved our brute force authentication cracking scripts
(*-brute) from the "auth" category into a new "brute"
category. Nmap's brute force capabilities have grown tremendously!
You can see all 32 of them at
https://nmap.org/nsedoc/categories/brute.html . It isn't clear
whether dns-brute should be in the brute category, so for now it
isn't. [Fyodor]

Made the interface gathering loop work on Linux when an interface
index is more than two digits in /proc/sys/if_inet6. Joe McEachern
tracked down the problem and provided the fix.

[NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
(status, response) and replaced the workaround in asn-query.nse by the proper
use. [Henri]

[NSE] Made irc-info.nse handle the case where the MOTD is missing.
Patch by Sebastian Dragomir.

Updated nmap-mac-prefixes to include the latest IEEE assignments
as of 2011-09-29.

Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
output for OS and service versions. This is a standard way to
identify operating systems and applications so that Nmap can
better interoperate with other software. Nmap's own (generally more
comprehensive) taxonomy/classification system is still supported as
well. Some OS and version detection results don't have CPE entries
yet. CPE entries show up in normal output with the headings "OS
CPE:" and "Service Info:":

broadcast-db2-discover attempts to discover DB2 servers on the
network by sending a broadcast request to port 523/udp. [Patrik
Karlsson]

broadcast-dhcp-discover sends a DHCP request to the broadcast
address (255.255.255.255) and reports the results. [Patrik
Karlsson]

broadcast-listener sniffs the network for incoming broadcast
communication and attempts to decode the received packets. It
supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and
a few more. [Patrik Karlsson]

broadcast-ping sends broadcast pings on a selected interface using
raw ethernet packets and outputs the responding hosts' IP and MAC
addresses or (if requested) adds them as targets. [Gorjan
Petrovski]

cvs-brute-repository attempts to guess the name of the CVS
repositories hosted on the remote server. With knowledge of the
correct repository name, usernames and passwords can be
guessed. [Patrik Karlsson]

ftp-vsftpd-backdoor tests for the presence of the vsFTPd 2.3.4
backdoor reported on 2011-07-04 (CVE-2011-2523). This script
attempts to exploit the backdoor using the innocuous 'id' command
by default, but that can be changed with the 'exploit.cmd' or
'ftp-vsftpd-backdoor.cmd' script arguments. [Daniel Miller]

ftp-vuln-cve2010-4221 checks for a stack-based buffer overflow in
the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. [Djalal
Harouni]

http-awstatstotals-exec exploits a remote code execution
vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other
products based on it (CVE: 2008-3922). [Paulino Calderon]

http-axis2-dir-traversal Exploits a directory traversal
vulnerability in Apache Axis2 version 1.4.1 by sending a specially
crafted request to the parameter 'xsd' (OSVDB-59001). By default
it will try to retrieve the configuration file of the Axis2
service '/conf/axis2.xml' using the path '/axis2/services/' to
return the username and password of the admin account. [Paulino
Calderon]

http-default-accounts tests for access with default credentials
used by a variety of web applications and devices. [Paulino
Calderon]

http-google-malware checks if hosts are on Google's blacklist of
suspected malware and phishing servers. These lists are constantly
updated and are part of Google's Safe Browsing service. [Paulino
Calderon]

targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with an
invalid extension header to the all-nodes link-local multicast
address (ff02::1) to discover (some) available hosts on the
LAN. This works because some hosts will respond to this probe with
an ICMPv6 parameter problem packet. [David Fifield, Xu Weilin]

[NSE] The script arguments which start with a script name
(e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the
unqualified arguments as well (hostname, maxfiles). This lets you
use the generic version ("hostname") when you want to affect
multiple scripts, while using the qualified version to target
individual scripts. If both are specified, the qualified version
takes precedence for that particular script. This works for library
script arguments too (e.g. you can specify 'timelimit' rather than
unpwdb.timelimit). [Paulino]

Nmap now defers options parsing until it has read through all the
command line arguments. This removes the few remaining cases where
option order mattered (for example, IPv6 users previously had to
specify -6 before -S). [Shinnok]

[NSE] Added a new default credential list for Oracle databases and
modified the oracle-brute script to make use of it. [Patrik]

[NSE] Our Packet library (packet.lua) now handles IPv6. This is used
by the new multicast IPv6 host discovery scripts
(targets-ipv6-*). [Weilin]

[NSE] Replaced xmpp.nse with an an overhauled version named
xmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov]

[NSE] Removed the mac-geolocation script, which relied on a Google
database to determine strikingly accurate GPS coordinates for
anyone's wireless access points (based on their MAC address). It
was very powerful. Perhaps Google decided it was too powerful, as
they discontinued the service before our script was even 2 months
old.

[Ncat] Added an --append-output option which, when used along with
-o and/or -x, prevents clobbering (truncating) an existing
file. [Shinnok]

Fixed RPC scan (part of -sV) to work on the 64-bit machines where
"unsigned long" is 8 bytes rather than 4. We now use the more
portable u32 in the code. [David]

Relaxed the XML DTD to allow validation of files where the verbosity
level changed during the scan. Also made a service confidence of 8
(used when tcpwrapped) or any other number between 0 and 10
legal. [Daniel Miller]

[NSE] Fixed authentication problems in the TNS library that would prevent
authentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury]

[NSE] Added basic query support to the Oracle TNS library so that scripts
can now make SQL queries against database servers. Also improved
support for 64-bit database servers and improved the documentation. [Patrik]

Removed some restrictions on probe matching that, for example,
prevented a RST/ACK reply from being recognized in a NULL scan. This
was found and fixed by Matthew Stickney and Joe McEachern.

Rearranged some characters classes in service matches to avoid any
that look like POSIX collating symbols ("[.xyz.]"). John Hutchison
discovered this error caused by one of the match lines:

InitMatch: illegal regexp: POSIX collating elements are not supported

[Daniel Miller]

[NSE] Added more than 100 new signatures to http-enum (many for
known vulnerabilities). They are in the categories: general,
attacks, cms, security, management and database [Paulino]

[NSE] Updated account status text in brute force password discovery
scripts in an effort to make the reporting more consistent across
all scripts. This will have an impact on any code that parses these
values. [Tom Sellers]

Nmap now includes the Liblinear library for large linear
classification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). We
are using it for the upcoming IPv6 OS detection system, and (if that
works out well) may eventually use it for IPv4 too. It uses a
three-clause BSD license.

[Zenmap] Prevent Zenmap from deleting ports when merging scans
results based on newer scans which did not actually scan the ports
in question. Additionally Zenmap now only updates ports with new
information if the new information uses the same protocol--not just
the same port number. [Colin Rice]

[Ncat] Fixed a crash which would occur when --ssl-verify is combined
with -vvv on windows. [Colin Rice]

[Nping] Added new --safe-payloads option for echo mode which causes
returned packet payloads to be zeroed to reduce privacy risks if
Nping echo server was to accidentally (or through malicious intent)
return a packet which wasn't sent by the Nping echo client. We hope
to soon make this behavior the default. [Luis]

Added a 'nostore' nse argument to the brute force library which
prevents the brute force authentication cracking scripts from
storing found credentials in the creds library (they will still be
printed in script output).

[NSE] Fixed the nsedebug print_hex() function so it does not print an
empty line if there are no remaining characters, and improved its NSEDoc.
[Chris Woodbury].

[Ncat] Ncat no longer blocks while an ssl handshake is taking place
or waiting to complete. This could make listening Ncat instances
unavailable to other clients because one client was taking too long
to complete the SSL handshake. Our public Ncat chat server is now
much more reliable (connect with: ncat --ssl -v chat.nmap.org).
[Shinnok]

[NSE] Updated SMTP and IMAP libraries to support authentication
using both plain-text and the SASL library. [Patrik]

[Zenmap] The Zenmap crash handler now instructs users to mail in
crash information to nmap-dev rather than offering to create a
Sourceforge bug tracker entry. [Colin Rice]

[NSE] Updated smb-brute to add detection for valid credentials where the
target account was expired or limited by time or login host constraints.
[Tom Sellers]

[Ncat] Ncat now supports IPV6 addresses by default without the -6 flag.
Additionally ncat listens on both ::1 and localhost when passed
-l, or any other listening mode unless a specific listening address is
supplied. [Colin Rice]

Fixed broken XML output in the case of timed-out hosts; the
enclosing host element was missing. The fix was suggested by Rémi
Mollon.

backorifice-info: Connects to a BackOrifice service and gathers
information about the host and the BackOrifice service
itself. [Gorjan Petrovski]

broadcast-avahi-dos: Attempts to discover hosts in the local
network using the DNS Service Discovery protocol, then tests
whether each host is vulnerable to the Avahi NULL UDP packet
denial of service bug (CVE-2011-1002). [Djalal Harouni]

http-affiliate-id: Grabs affiliate network IDs (e.g. Google
AdSense or Analytics, Amazon Associates, etc.) from a web
page. These can be used to identify pages with the same
owner. [Hani Benhabiles, Daniel Miller]

ldap-novell-getpass: Attempts to retrieve the Novell Universal
Password for a user. You must already have (and include in script
arguments) the username and password for an eDirectory server
administrative account. [Patrik Karlsson]

mysql-audit: Audit MySQL database server security configuration
against parts of the CIS MySQL v1.0.2 benchmark (the engine can
also be used for other MySQL audits by creating appropriate audit
files). [Patrik Karlsson]

smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow
within versions of Exim prior to version 4.69 (CVE-2010-4344) and
a privilege escalation vulnerability in Exim 4.72 and prior
(CVE-2010-4345). [Djalal Harouni]

smtp-vuln-cve2011-1720: Checks for a memory corruption in the
Postfix SMTP server when it uses Cyrus SASL library authentication
mechanisms (CVE-2011-1720). This vulnerability can allow denial
of service and possibly remote code execution. [Djalal Harouni]

ssl-known-key: Checks whether the SSL certificate used by a host
has a fingerprint that matches an included database of problematic
keys. [Mak Kolybabi]

targets-sniffer: Sniffs the local network for a configurable
amount of time (10 seconds by default) and prints discovered
addresses. If the newtargets script argument is set, discovered
addresses are added to the scan queue. [Nick Nikolaou]

IPv6 protocol scan (-sO) is now supported, including creating
realistic headers for many protocols. [David]

IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel
Miller, Patrik]

The --exclude and --excludefile now support IPV6 addresses with
netmasks. [Colin]

Scanme.Nmap.Org (the system anyone is allowed to scan for testing
purposes) is now dual-stacked (has an IPv6 address as well as IPv4)
so you can scan it during IPv6 testing. We also added a DNS record
for ScanmeV6.nmap.org which is IPv6-only. See
http://seclists.org/nmap-dev/2011/q2/428. [Fyodor]

The Nmap.Org website as well as sister sites Insecure.Org,
SecLists.Org, and SecTools.Org all have working IPv6 addresses now
(dual stacked). [Fyodor]

Nmap now determines the filesystem location it is being run from and
that path is now included early in the search path for data files
(such as nmap-services). This reduces the likelihood of needing to
specify --datadir or getting data files from a different version of
Nmap installed on the system. For full details, see
https://nmap.org/book/data-files-replacing-data-files.html . Thanks
to Solar Designer for implementation advice. [David]

Created a page on our SecWiki for collecting Nmap script ideas! If
you have a good idea, post it to the incoming section of the page.
Or if you're in a script writing mood but don't know what to write,
come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.

The development pace has greatly increased because Google (again)
sponsored a 7 full-time college and graduate student programmer
interns this summer as part of their Summer of Code program!
Thanks, Google Open Source Department! We're delighted to introduce
the team: http://seclists.org/nmap-dev/2011/q2/312

[NSE] Added 7 new protocol libraries, bringing the total to 66. You
can read about them all at https://nmap.org/nsedoc/. Here are the new
ones (authors listed in brackets):

Made the final IP address space assignment update as all available
IPv4 address blocks have now been allocated to the regional
registries. Our random IP generation (-iR) logic now only excludes
the various reserved blocks. Thanks to Kris for years of regular
updates to this function!

[NSE] Replaced http-trace with a new more effective version. [Paulino]

Performed some output cleanup work to remove unimportant status
lines so that it is easier to find the good stuff! [David]

[Zenmap] now properly kills Nmap scan subprocess when you cancel a
scan or quit Zenmap on Windows. [Shinnok]

[NSE] Added a credential storage library (creds.lua) and modified
the brute library and scripts to make use of it. [Patrik]

[Ncat] Created a portable version of ncat.exe that you can just drop
onto Microsoft Windows systems without having to run any installer
or copy over extra library files. See the Ncat page
(https://nmap.org/ncat/) for binary downloads and a link to build
instructions. [Shinnok]

Fix a segmentation fault which could occur when running Nmap on
various Android-based phones. The problem related to NULL being
passed to freeaddrinfo(). [David, Vlatko Kosturjak]

[NSE] The host.bin_ip and host.bin_ip_src entries now also work with
16-byte IPv6 addresses. [David]

[NSE] Added the stdnse.silent_require method which is used for
library requires that you know might fail (e.g. "openssl" fails if
Nmap was compiled without that library). If these libraries are
called with silent_require and fail to load, the script will cease
running but the user won't be presented with ugly failure messages
as would happen with a normal require. [Patrick Donnelly]

[Zenmap] If you scan a system twice, any open ports from the first
scan which are closed in the 2nd will be properly marked as
closed. [Colin Rice].

[Zenmap] Fixed an error that could cause a crash ("TypeError: an
integer is required") if a sort column in the ports table was unset.
[David]

[Ndiff] Added nmaprun element information (Nmap version, scan date,
etc.) to the diff. Also, the Nmap banner with version number and
data is now only printed if there were other differences in the
scan. [Daniel Miller, David, Dr. Jesus]

[NSE] Enabled firewalk.nse to automatically find the gateways at
which probes are dropped and fixed various bugs. [Henri Doreau]

[Zenmap] Worked around a pycairo bug that prevented saving the
topology graphic as PNG on Windows: "Error Saving Snapshot:
Surface.write_to_png takes one argument which must be a filename
(str), file object, or a file-like object which has a 'write' method
(like StringIO)". The problem was reported by Alex Kah. [David]

The -V and --version options now show the platform Nmap was compiled
on, which features are compiled in, the version numbers of libraries
it is linked against, and whether the libraries are the ones that
come with Nmap or the operating system. [Ambarisha B., David]

Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre
from netVigilance.

The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]

[NSE] Added a shortport.ssl function which can be used as a script
portrule to match SSL services. It is similar in concept to our
existing shortport.http. [David]

Set up the RPM build to use the compat-glibc and compat-gcc-34-c++
packages (on CentOS 5.3) to resolve a report of Nmap failing to run
on old versions of Glibc. [David]

[NSE] Fixed a bug which caused some NSE scripts to fail due to the
absence of the NSE SCRIPT_NAME environment variable when loaded.
Michael Pattrick reported the problem. [Djalal]

[Zenmap] Selecting one of the scan targets in the left pane is
supposed to jump to that host in the Nmap Output in the right pane
(but it wasn't). Brian Krebs reported this bug. [David]

Fixed an obscure bug in Windows interface matching. If the MAC
address of an interface couldn't be retrieved, it might have been
used instead of the correct interface. Alexander Khodyrev reported
the problem. [David]

[NSE] Fixed a bug in the nrpe-enum script that would make it run for
every port (when it was selected--it isn't by default). Daniel
Miller reported the bug. [Patrick]

[NSE] When an NSE script sets a negative socket timeout, it now
causes a controlled Lua stack trace instead of a fatal error.
Vlatko Kosturjak reported the bug. [David]

[Zenmap] Worked around an error that caused the py2app bootstrap
executable to be non-universal even when the rest of the application
was universal. This prevented the binary .dmg from working on
PowerPC. Yxynaxen reported the problem. [David]

[Ndiff] Fixed an output line that wasn't being redirected to a file
when all other output was. [Daniel Miller]

[Zenmap] Added a new script selection interface, allowing you to
choose scripts and arguments from a list which includes descriptions
of every available script. Just click the "Scripting" tab in the
profile editor. [Kirubakaran]

[Nping] Added echo mode, a novel technique for discovering how your
packets are changed (or dropped) in transit between the host they
originated and a target machine. It can detect network address
translation, packet filtering, routing anomalies, and more. You can
try it out against our public Nping echo server using this command:

ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c
backdoor reported as OSVDB-ID 69562. This script attempts to
exploit the backdoor using the innocuous id command by default,
but that can be changed with a script argument. [Mak Kolybabi]

giop-info: Queries a CORBA naming server for a list of
objects. [Patrik Karlsson]

gopher-ls: Lists files and directories at the root of a gopher
service. Remember those? [Toni Ruottu]

http-domino-enum-passwords: Attempts to enumerate the hashed Domino
Internet Passwords that are (by default) accessible by all
authenticated users. This script can also download any Domino ID
Files attached to the Person document. [Patrik Karlsson]

resolveall: Resolves hostnames and adds every address (IPv4 or IPv6,
depending on Nmap mode) to Nmap's target list. This differs from
Nmap's normal host resolution process, which only scans the first
address (A or AAAA record) returned for each host name. [Kris
Katterjohn]

rmi-dumpregistry: Connects to a remote RMI registry and attempts to
dump all of its objects. [Martin Holst Swende]

smb-flood: Exhausts a remote SMB server's connection limit by by
opening as many connections as we can. Most implementations of
SMB have a hard global limit of 11 connections for user accounts
and 10 connections for anonymous. Once that limit is reached,
further connections are denied. This script exploits that limit by
taking up all the connections and holding them. [Ron Bowes]

ssh2-enum-algos: Reports the number of algorithms (for encryption,
compression, etc.) that the target SSH2 server offers. If
verbosity is set, the offered algorithms are each listed by
type. [Kris Katterjohn]

[NSE] Added a new brute library that provides a basic framework and logic
for brute force password auditing scripts. [Patrik]

[Zenmap] Greatly improved performance for large scans by
benchmarking intensively and then recoding dozens of slow parts.
Time taken to load our benchmark file (a scan of just over a million
IPs belonging to Microsoft corporation, with 74,293 hosts up) was
reduced from hours to less than two minutes. Memory consumption
decreased dramatically as well. [David]

Performed a major OS detection integration run. The database has
grown more than 14% to 2,982 fingerprints and many of the existing
fingerprints were improved. Highlights include Linux 2.6.37, iPhone
OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4.
David posted highlights of his integration work at
http://seclists.org/nmap-dev/2010/q4/651

Performed a huge version detection integration run. The number of
signatures has grown by more than 11% to 7,355. More than a third
of our signatures are for http, but we also detect 743 other service
protocols, from abc, acap, access-remote-pc, and achat to zenworks,
zeo, and zmodem. David posted highlights at
http://seclists.org/nmap-dev/2010/q4/761.

[NSE] Added the target NSE library which allows scripts to add newly
discovered targets to Nmap's scanning queue. This allows Nmap to
support a wide range of target acquisition techniques. Scripts which
can now use this feature include dns-zone-transfer, hostmap,
ms-sql-info, snmp-interfaces, targets-traceroute, and several
more. [Djalal]

[NSE] Nmap has two new NSE script scanning phases. The new pre-scan
occurs before Nmap starts scanning. Some of the initial pre-scan
scripts use techniques like broadcast DNS service discovery or DNS
zone transfers to enumerate hosts which can optionally be treated as
targets. The other phase (post scan) runs after all of Nmap's
scanning is complete. We don't have any of these scripts yet, but
they could compile scan statistics or present the results in a
different way. One idea is a reverse index which provides a list of
services discovered during a network scan, along with a list of IPs
found to be running each service. See
https://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]

[NSE] A new --script-help option describes all scripts matching a
given specification. It accepts the same specification format as
--script does. For example, try 'nmap --script-help "default or
http-*"'. [David, Martin Holst Swende]

[NSE] Created a new "broadcast" script category for the broadcast-*
scripts. These perform network discovery by broadcasting on the
local network and listening for responses. Since they don't
directly relate to targets specified on the command line, these are
kept out of the default category (nor do they go in "discovery").

Integrated cracked passwords from the Gawker.com compromise
(http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000
password database. A team of Nmap developers lead by Brandon Enright
has cracked 635,546 out of 748,081 password hashes so far
(85%). Gawker doesn't exactly have the most sophisticated users on
the Internet--their top passwords are "123456", "password",
"12345678", "lifehack", "qwerty", "abc123", "12345", "monkey",
"111111", "consumer", and "letmein".

XML output now excludes output for down hosts when only doing host
discovery, unless verbosity (-v) was requested. This is how it
already worked for normal scans, but the ping-only case was
overlooked. [David]

Merged port names in the nmap-services file with allocated names
from the IANA (http://www.iana.org/assignments/port-numbers). We
only added IANA names which were "unknown" in our file--we didn't
deal with conflicting names. [David]

Enabled the ASLR and DEP security technologies for Nmap.exe,
Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will
set the /DYNAMICBASE and /NXCOMPAT flags in the PE
header. Executables generated using py2exe or NSIS and third party
binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support
for DEP on XP SP3, using SetProcessDEPPolicy(), could still be
implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]

[Zenmap] Improved the output viewer to show new output in constant
time. Previously it would get slower and slower as the output grew
longer, eventually making Zenmap appear to freeze with 100% CPU. Rob
Nicholls and Ray Middleton helped with testing. [David]

The Linux RPM builds of Nmap and related tools (ncat, nping, etc.)
now link to system libraries dynamically rather than statically.
They still link statically to dependency libraries such as OpenSSL,
Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so
the RPMs will work on distributions with older software (like RHEL,
Debian stable) as well as more bleeding edge ones like
Fedora. [David]

[NSE] Added the ability to send and receive on unconnected sockets.
This can be used, for example, to receive UDP broadcasts without
having to use Libpcap. A number of scripts have been changed so that
they can work as prerule scripts to discover services by UDP
broadcasting, and optionally add the discovered targets to the
scanning queue:

The nmap.new_socket function can now optionally take a default
protocol and address family, which will be used if the socket is not
connected. There is a new nmap.sendto function to be used with
unconnected UDP sockets. [David, Patrik]

[NSE] Improved the SMB scripts so that they can run in parallel
rather than using a mutex to force serialization. This quadrupled
the SMB scan speed in one large scale test. See
http://seclists.org/nmap-dev/2010/q3/819. [Ron]

[Zenmap] Made the topology node radiuses grow logarithmically
instead of linearly, so that hosts with thousands of open ports
don't overwhelm the diagram. Also only open ports (not
open|filtered) are considered when calculating node sizes. Henri
Doreau found and fixed a bug in the implementation. [Daniel Miller]

Increased the initial RTT timeout for ARP scans from 100 ms to 200
ms. Some wireless and VPN links were taking around 300 ms to
respond. The default of one retransmission gives them 400 ms to be
detected.

[NSE] The http library's request functions now accept an additional
"auth" table within the option table, which causes Basic
authentication credentials to be sent. [David]

Improved IPv6 host output in that we now remember and report the
forward DNS name (given by the user) and any non-scanned addresses
(usually because of round robin DNS). We already did this for
IPv4. [David]

[NSE] Improved ssh2's kex_init() parameters: all of the algorithm
and language lists can be set using new keys in the "options" table
argument. These all default to the same value used before. Also, the
required "cookie" argument is now replaced by an optional "cookie"
key in the "options" table, defaulting to random bytes as suggested
by the RFC. [Kris]

Ncat now logs Nsock debug output to stderr instead of stdout for
consistency with its other debug messages. [David]

[NSE] Added a new function, shortport.http, for HTTP script
portrules and changed 14 scripts to use it. [David]

Updated to the latest config.guess and config.sub. Thanks to Ty
Miller for a reminder. [David]

[NSE] Added prerule support to snmp-interfaces and the ability to
add the remote host's interface addresses to the scanning queue.
The new script arguments used for this functionality are "host"
(required) and "port" (optional). [Kris]

Fixed some inconsistencies in nmap-os-db and a small memory leak
that would happen where there was more than one round of OS
detection. These were reported by Xavier Sudre from
netVigilance. [David]

Upgraded the OpenSSL binaries shipped in our Windows installer to
version 1.0.0a. [David]

[NSE] Added prerule support to the dns-zone-transfer script,
allowing it to run early to discover IPs from DNS records and
optionally add those IPs to Nmap's target queue. You must specify
the DNS server and domain name to use with script
arguments. [Djalal]

Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with
a struct of the same name in netinet/sctp.h. This caused a
compilation error when Nmap was compiled with an OpenSSL that had
SCTP support. [Olli Hauer, Daniel Roethlisberger]

Added a bunch of Apple and Netatalk AFP service detection
signatures. These often provide extra details such as whether the
target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]

[NSE] Host tables now have a host.traceroute member available when
--traceroute is used. This array contains the IP address, reverse
DNS name, and RTT for each traceroute hop. [Henri Doreau]

[NSE] Made the ftp-anon script return a directory listing when
anonymous login is allowed. [Gutek, David]

[NSE] Added the nmap.resolve() function. It takes a host name and
optionally an address family (such as "inet") and returns a table
containing all of its matching addresses. If no address family is
specified, all addresses for the name are returned. [Kris]

[NSE] Added the nmap.address_family() function which returns the address
family Nmap is using as a string (e.g., "inet6" is returned if Nmap is
called with the -6 option). [Kris]

[NSE] Scripts can now access the MTU of the host.interface device using
host.interface_mtu. [Kris]

Restrict the default Windows DLL search path by removing the current
directory. This adds extra protection against DLL hijacking attacks,
especially if we were to add file type associations to Nmap in the
future. We implement this with the SetDllDirectory function when
available (Windows XP SP1 and later). Otherwise, we call
SetCurrentDirectory with the directory containing the
executable. [David]

[Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and
Nmap NSE, allowing them to connect to servers which run multiple SSL
websites on one IP address. To enable this for NSE, the nmap.connect
function has been changed to accept host and port tables (like those
provided to the action function) in place of a string and a
number. [David]

[NSE] Renamed db2-info and db2-brute scripts to drda-*. Added
support other DRDA based databases such as IBM Informix Dynamic
Server and Apache Derby. [Patrik]

[Nsock] Added a new function, nsi_set_hostname, to set the intended
hostname of the target. This allows the use of Server Name
Indication in SSL connections. [David]

[NSE] Limits the number of ports that qscan will scan (now up to 8
open ports and up to 1 closed port by default). These limits can be
controlled with the qscan.numopen and qscan.numclosed script
arguments. [David]

[NSE] Made sslv2.nse give special output when SSLv2 is supported,
but no SSLv2 ciphers are offered. This happened with a specific
Sendmail configuration. [Matt Selsky]

[NSE] Added a "times" table to the host table passed to scripts.
This table contains Nmap's timing data (srtt, the smoothed round
trip time; rttvar, the rtt variance; and timeout), all represented
as floating-point seconds. The ipidseq and qscan scripts were
updated to utilize the host's timeout value rather than using a
conservative guess of 3 seconds for read timeouts. [Kris]

Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping),
which were improperly sending whole packets in version
5.35DC1. [Kris]

[NSE] When receiving raw packets from Pcap, the packet capture time
is now available to scripts as an additional return value from
pcap_receive(). It is returned as the floating point number of
seconds since the epoch. Also added the nmap.clock() function which
returns the current time (and convenience functions clock_ms() and
clock_us()). Qscan.nse was updated to use this more accurate timing
data. [Kris]

[Zenmap] Fixed a crash that would happen after opening the search
window, entering a relative date criterion such as "after:-7", and
then clicking the "Expressions" button. The error message was

AttributeError: 'tuple' object has no attribute 'strftime'

[David]

Added a new packet payload--a NAT-PMP external address request for
port 5351/udp. Payloads help us elicit responses from listening UDP
services to better distinguish them from filtered ports. This
payload goes well with our new nat-pmp-info script. [David, Patrik]

[NSE] There is now a limit of 1,000 concurrent running scripts,
instituted to keep memory under control when there are many open
ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE
crash) for one host with tens of thousands of open ports. This limit
can be controlled with the variable CONCURRENCY_LIMIT in
nse_main.lua. [David]

The command line in XML output (/nmaprun/@args attribute) now does
quoting of whitespace using double quotes and backslashes. This
allows recovering the original command line array even when
arguments contain whitespace. [David]

Added a service detection probe for master servers of Quake 3 and
related games. [Toni Ruottu]

[Zenmap] Updated French translation. [Henri Doreau]

[Zenmap] Fixed an crash when printing a scan that had no output
(like a scan made by command-line Nmap). Henri Doreau noticed the
error. [David]

Performed a major OS detection integration run. The database has
grown to 2,608 fingerprints (an increase of 262) and many of the
existing fingerprints were improved. These include the Apple iPad
and Cisco IOS 15.X devices. We also received many fingerprints for
ancient Microsoft systems including MS-DOS with MS Networking Client
3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
integration work at http://seclists.org/nmap-dev/2010/q2/283.

Performed a large version detection integration run. The number of
signatures has grown to 6,622 (an increase of 279). New signatures
include a remote administrative backdoor that a school famously used
to spy on its students, an open source digital currency scheme named
Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
Frozen Bubble. You can read David's highlights at
http://seclists.org/nmap-dev/2010/q2/385.

[NSE] Added nfs-ls.nse, which lists NFS exported files and their
attributes. The nfs-acls and nfs-dirlist scripts were deleted
because all their features are supported by this script. [Djalal]

[NSE] Added the afp-serverinfo script that gets a hostname, IP
addresses, and other configuration information from an AFP server.
The script, and a patch to the afp library, were contributed by
Andrew Orr and subsequently enhanced by Patrik and David.

[Nmap, Ncat, Nping] The default unit for time specifications is now
seconds, not milliseconds, and times may have a decimal point. 1000
now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.
Floating point values such as 1.5 are now allowed. This affects the
following options:
Nmap:

Some sanity checks have been added to catch what looks like an
attempt to use the old millisecond defaults. For example,
--host-timeout 10000 yields

Since April 2010, the default unit for --host-timeout is seconds,
so your time of "10000" is 2.8 hours. If this is what you want,
use "10000s".
QUITTING!

You can always disable the warning by giving an explicit unit.

[NSE] Scripts which take an argument for a time duration can now
have the duration be a number followed by a unit, like elsewhere in
Nmap. An example is "10m" for 10 minutes. The units understood are
"ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for
hours. Seconds are the default if no unit is specified. The new
function stdnse.parse_timespec does the parsing of these
formats. The qscan.delay script argument, which formerly interpreted
its argument as being in milliseconds, now defaults to seconds;
append "ms" to continue using the same numbers. [David]

[Ncat] In listen mode, the --exec and --sh-exec options now accept a
single connection and then exit, just like in normal listen mode.
Use the --keep-open option to get the old default inetd-like
behavior. This was suggested by David Millis. [David]

[NSE] Added http-php-version.nse from Gutek. This script retrieves
version-specific pages through a couple of magic PHP queries, which
can identify the PHP version even when a server doesn't advertise
it.

David made many improvements to the NSEDoc for individual scripts,
including adding @output sections to scripts which didn't have them.
He also improved the generated HTML with features like
auto-generating usage strings if the scripts don't include their own
and allowing the giant sidebar lists of scripts/libraries to expand
and contract. See https://nmap.org/nsedoc/.

UDP payloads are now stored in an external data file, nmap-payloads,
instead of being hard-coded in the executable. This makes it easier
to add your own payloads or disable those you find problematic. [Jay
Fink, David]

Open XML elements are now closed in case of a fatal error, so the
output should at least be well-formed. There are new attributes
"exit" and "errormsg" in the finished element. "exit" is "success"
or "error". When it is "error", the "errormsg" attribute contains
the error message. Thanks to Grant Bartlett, who found a typo in the
new output. [David]

Fixed name resolution in environments where gethostbyname can return
IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
would wrongly use the first four bytes of the IPv6 address as an
IPv4 address. You could force this, at least on Debian, by adding
the line "options inet6" to /etc/resolv.conf or by running with
RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik
Andersson, who also suggested the fix. [David]

Fixed the assignment of interface aliases to directly connected
routes on Linux, which was broken in 5.30BETA1 (it always assigned
the base interface instead of the alias). This was visible in the
host.interface variable passed to NSE scripts. The bug was reported
Victor Rudnev. [David]

When Nmap is passed a hostname such as google.com which resolves to
several IP addresses, Nmap now prints each IP address. It still
only scans the first one in the returned list. [David]

Nmap now works if you specify several target host names which
resolve to the same IP address. This can be useful when you are
scanning virtual-hosted web servers and want to see NSE results
specific to each site name even though they reside on the same
machine. [David]

Added a new library, libnetutil, which contains about 2,700 lines of
networking related code which is now shared between Nmap and Nping
(it was previously duplicated by each tool). [Luis, David]

[NSE]http-passwd.nse now also checks for boot.ini to support
Windows targets. [Gutek]

Removed --interactive mode, a miniature shell whose primary purpose
was to hide command line arguments from the process list. It had
been broken (would segfault during the second scan) for at least 9
months and was rarely used. The fact that it was broken was reported
by Juan Carlos Castro. [David]

Added a version probe, match line, and UDP payload for the
serialnumberd service of Mac OS X Server. This service overrides
firewall settings to make itself visible, so it's useful for host
discovery. [Patrik]

Fixed a bug in Libpcap which lead to Nmap hanging forever in some
cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3. The fix was
actually already available in upstream Libpcap, just not released.
We also had to make Nmap build with its own Libpcap on 64-bit OS X
if an already-installed system Libpcap has this bug. [David]

Updated our WinPcap to the new 4.1.2 release. [Rob Nicholls]

[NSE] Fixed a bug in qscan.nse which gave an error if a confidence
level of 0.9995 was used. Thanks to Marcin Hoffmann for noticing
the problem. [Kris]

[libpcap] Added a --disable-packet-ring option to force the use of
an older, slower packet capture mechanism on Linux. Before Linux
2.6.27, the packet ring mechanism uses different-sized kernel
structures on 32- and 64-bit architectures, so a 32-bit program will
not run correctly on a 64-bit kernel. The older mechanism does not
have this flaw.

Fixed some errors in nmap-os-db, probably caused by incorrect string
replacement during integration. This patch is from James Cook.

[Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that
allows setting the SO_BROADCAST option on sockets. Ncat now sets
this option unconditionally in connect mode to allow connections to
broadcast addresses (useful in UDP mode). [Daniel Miller]

Nmap now works with "teamed" network interfaces on Windows. In order
to distinguish the interfaces, their textual descriptions are now
compared in addition to their MAC addresses. Without this, Nmap
would send on the wrong interface and not receive any replies. A
symptom of this problem was all scans failing except when
--unprivileged was used. Norris Carden reported this bug. [David]

[Ncat] When receiving a connection/datagram in listen mode, Ncat now
prints the connecting source port along with the IP address (when
verbosity is enabled). [Rebellis]

Fixed a problem where the time variable used in some port scanning
algorithms (for probe timeouts, etc) could vary based on the
debugging level. [Kris]

Moved the parse_long function from ncat to nbase for better reuse,
and used it to simplify netmask parsing code. [William Pursell]

Added EPROTO to the list of known error codes in service scan. Daniel
Miller reported that an EPROTO was causing Nmap to exit after sending
the Sqlping probe during service scan. The error message was
"Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
error)". We suspect this was caused by a forged ICMP packet sent by an
active firewall. [David]

[NSE] Improved smtp-commands.nse to work against more mail servers,
made it take an smtp-commands.domain script argument, and rewrote it
in the style of other smtp scripts. [Jasey DePriest]

[NSE] Made smtp-commands run for the services smtp, smtps,
submission rather than just smtp. The other smtp scripts already do
this. [David]

[NSE] The dns-recursion script now marks the port as open when it
gets a response. [Olivier M]

[Nping] A big correctness and code cleanliness audit was performed
which resulted in many bugs being fixed and much more code being
shared with Nmap rather than duplicated. A structured testing
script system was also created. [Luis, David]

[Nping] Now allows a --count value of zero to run almost
indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]

[Nping] Fixed --data argument parsing. The value passed was not
actually making it into outgoing packets. Reported by Tim
Poth. [Luis]

[Nping] When a RST packet is received in response to a connection
attempt in TCP-Connect mode, Nping now properly prints "Connection
refused" rather than "Operation now in progress". [Luis]

[Nping] Fixed a bug which caused failure when the first supplied
target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com
tcpdump.com). [Luis]

[Nping] Fixed some bugs in the BPF filter creation to avoid capture
and printing of packets Nping sent or which are destined for another
process. [Luis]

[Nping] Fixed a bug which prevented ARP replies from being displayed
properly. [Luis]

[Nping] Fixed a bug that caused ICMP Router Advertisement entries to
be set in host byte order rather than proper network byte
order. [Luis]

[Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek]

The Mac OS X installer is now built with MacPorts 1.9.1 rather than
1.8.2. Among other changes, this fixes a segmentation fault reported
by some OS X 10.6.3 users.

Nsock now supports an option to remove its Pcap support. This
allows the same Nsock to be shared with Nmap (which needs that
support) and Ncrack (which doesn't.) Pcap support can be disabled by
specifying --disable-pcap at configure time on UNIX, or by selecting
the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on
Windows.

Sped up compilation by not building both shared and static libdnet
libraries--we only use the static one. [David]

[NSE] Add some special-use IPv4 addresses to isPrivate which are
described in RFC 5736 and RFC 5737, published in Jan 2010. Improve
performance of isPrivate for IPv4 addresses by using ip_in_range
less frequently. Add an extra return value to isPrivate - when the
first return value is true, the second return value will now be a
string representing the special use assignment in which the supplied
address is located. [jah]

Fix compilation on OpenSolaris. We had to make the libdnet autoconf
check for PF_PACKET Linux-specific. Recent versions of OpenSolaris
support PF_PACKET, but not in a way which is entirely compatible
with the Linux approach. This problem was reported by Darren Reed. A
few other minor compatibility changes were made as well. [David]

[NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis"
name in the MySQL library. [Kris]

Cleaned up our Winpcap header file directory, and also updated to
the latest files from the official developer pack
(WpdPack_4_1_1.zip). [Fyodor]

[NSE] Fixed a bug which would prevent rpcinfo.nse from returning any
results for RPC programs which could not be matched to a
name. [Patrik]

[NSE] The ftp-anon script is now much smarter about parsing server
responses and detecting successful (or not) logins. It now knows
how to send the ACCT command where appropriate as well. [Rob
Nicholls]

Normalized a bunch of version detection entries with "webserver" in
the description. In most cases this was changed to "httpd".

[Ncat] Fixed the --crlf option not to insert an extra \r byte in the
case that one system read ends with \r and the next begins with \n
(should be rare). [David]

[NSE] Fixed bug in rpc.lua library that incorrectly required file handles
to be 32 octets when calling the ReadDir function. The bug was reported by
Djalal Harouni. [Patrik]

An ALPHA TEST VERSION of Nping, a packet generator written by Luis
MartinGarcia and Fyodor last summer, is now included in the Nmap
distribution. While it works, we consider the application unfinished
and we hope to improve it greatly as a Summer of Code project this
summer and then do an official release. See https://nmap.org/nping/.

[NSE] Added RPC library and three new NFS scripts. Modified the
rpcinfo and nfs-showmount scripts to use the new library. The new
scripts are:

[NSE] Added the qscan script to repeatedly probe ports on a host to
gather round-trip times for each port. The script then uses these
times to group together ports with statistically equivalent round
trip times. Ports in different groups could be the result of things
such as port forwarding to hosts behind a NAT. It is based on work
by Doug Hoyte. This script also utilizes the new NSE raw IP sending
functionality. See https://nmap.org/nsedoc/scripts/qscan.html . [Kris]

[NSE] Added a new script, db2-das-info.nse, that connects to the IBM
DB2 Administration Server (DAS) exports the server profile. No
authentication is required for this request. The script will also
set the port product and version if a version scan is requested. See
https://nmap.org/nsedoc/scripts/db2-das-info.html . [Patrik Karlsson,
Tom Sellers]

[NSE] Added a new library for ASN.1 parsing and adapted the SNMP
library to make use of it. Added 5 SNMP scripts that use the new
libraries:

Improved the passwords.lst database used by NSE by combining several
leaked password databases collected by Ron Bowes. The size of the
database has been increased from 200 to 5000.

Zenmap's "slow comprehensive scan profile" has been modified to use
the best 7-probe host discovery combination we were able to find in
extensive empirical testing
(http://www.bamsoftware.com/wiki/nmap/EffectivenessOfPingProbes).
That combination is "-PE -PP -PS21,22,23,25,80,113,31339
-PA80,113,443,10042 -PO". [David]

Switched to -Pn and -sn and as the preferred syntax for skipping
ping scan and skipping port scan, respectively. Previously the -PN
and -sP options were recommended. This establishes a more regular
syntax for some options that disable phases of a scan:

-n no reverse DNS

-Pn no host discovery

-sn no port scan

We also felt that the old -sP ("ping scan") option was a bit
misleading because current versions of Nmap can go much further
(including -sC and --traceroute) even with port scans disabled. We
will retain support for the previous option names for the foreseeable
future.

[NSE] Added the ipidseq script to classify a host's IP ID sequence
numbers in the same way Nmap does. This can be used to test hosts'
suitability for Nmap's Idle Scan (-sI), i.e. check if a host is an
idle zombie. This is the first script to use the new raw IP sending
functionality in NSE. See
https://nmap.org/nsedoc/scripts/ipidseq.html . [Kris]

[NSE] Added jdwp-version.nse, a script by Michael Schierl that finds
the version of a Java Debug Wire Protocol server. This is a
dangerous service to find running as it does not provide any
security against malicious attackers who can inject their own
bytecode into the debugged process. See
https://nmap.org/nsedoc/scripts/jdwp-version.html .

[NSE] The unpwdb library now has a default time limit on the
usernames and passwords iterators. This will prevent brute force
scripts from running for a long time when a service is slow. These
new script arguments control the limits:

When --open is used, Nmap no longer prints output for hosts which
don't have any open ports. All output formats are treated the same
way, so if a host isn't shown in normal output, it won't be shown in
XML output either.

[NSE] Added the script http-methods from Bernd Stroessenreuther.
This script sends an HTTP OPTIONS request to get the methods
supported by the server, highlights potentially risky methods, and
optionally tests each method to see if they are restricted by IP
address or something similar. See
https://nmap.org/nsedoc/scripts/http-methods.html .

The -v and -d options are now handled in the same way. These three
forms are equivalent:

Fixed a libpcap compilation error on Solaris. This was actually
fixed in libpcap's source control back in 2008, but they haven't made
a release since then :(. They still seem to be actively developing
though, so let's hope for a release soon. Solaris compilation fixes
were made to Ncat and Nping as well.

Zenmap now lets you save scan results in normal Nmap text output
format or (as before) as XML. The XML format still has the text
version embedded inside it, and is still the only format Zenmap can
load again. The "Save to Directory" mode for saving multiple
aggregated scans at once still always saves XML results. [David]

Fixed the packaging of x64 versions of WinPcap drivers in the
winpcap-nmap installer to ensure that 64-bit applications (such as
64-bit Wireshark) work properly. [Rob Nicholls]

Fixed the Idle Scan (-sI) so that scanning multiple hosts doesn't
retest the zombie proxy and reinitialize all of the associated data
at the beginning of each run. [Kris]

Added version detection match line for the Arucer backdoor, which was
found packaged with drivers for the Energizer USB recharger product
(see http://www.kb.cert.org/vuls/id/154421). [Ron]

Fixed --resume to work again despite our recent changes to the Nmap
output format. [jlanthea]

[Zenmap] Localized most of the remaining strings in the GUI
interface which were English-only. The actual textual Nmap results
are still in English since Nmap, but the GUI is now almost fully
localized. [David]

[Zenmap] Updated the localization files for the French
translation. [Gutek]

[Zenmap] Fixed an interface bug which could cause hostnames with
underscores like "host_a" to be rendered like "hosta" with the "a"
underlined. Thanks to Toralf F. for the report, and David for the
fix.

Nmap now honors routing table entries that override interface
addresses and netmasks. For example, with this configuration:

Nmap will not consider 192.168.0.3 directly connected through eth0,
even though it matches the interface's netmask. It won't try to ARP
ping 192.168.0.3, but will route traffic through 192.168.0.1.

[Ncat] The HTTP proxy server now accepts client connections over
SSL. That means connections to the proxy can be encrypted and
authenticated. We haven't found any HTTP clients that directly
support SSL connections to proxies, but you can use Ncat as a tunnel
to an SSL-supporting Ncat proxy. This new feature was implemented by
Markus Klinik.

Updated our Mac OS X build system so that our binary packages are
built on Mac OS X 10.6 rather than 10.5. [David]

Fixed reading of the interface table on NetBSD. Running nmap
--iflist would report "INTERFACES: NONE FOUND(!)" and any scan done
as root would fail with "WARNING: Unable to find appropriate
interface for system route to...". This was first reported by Jay
Fink, and had already been patched in the NetBSD pkgsrc
tree. [David]

Fixed a bug in traceroute that could happen when directly connected
and routed targets were in the same hostgroup. If the first target
was directly connected, the traceroute for all targets in the group
would have a trace of one hop.

ARP requests now work with libpcap Linux "cooked" encapsulation.
According to http://wiki.wireshark.org/SLL, this encapsulation is
used on devices "where the native link layer header isn't available
or can't be used." Before this, attempting any ARP operation on such
an interface would fail with the error

read_arp_reply_pcap called on interfaces that is datatype 113
rather than DLT_EN10MB (1)

[David]

Fixed the display of route netmask bits in --iflist on little-endian
architectures. Formerly, any mask less than /24 was shown as /0, and
other masks were also wrong. [David]

Fixed an assertion failure which could occur when connecting to an
SSL server:

> 0' failed.
This was observed when running the http-enum script but could
possibly have happened in other situations. Thanks to Brandon for
reporting the bug and testing. [David]

Added the function bignum_add to the nse_openssl library to support
BIGNUM addition [Patrik]

The redistributable Visual C++ runtime components installer
(vcredist_x86.exe) has been upgraded to version 9.0.30729.4148. Axel
Pettinger reported that the previous version 9.0.30729.17, caused a
Windows Update on Windows 7 because of Microsoft security advisory
MS09-035.

[Ncat] Fixed an error that could make programs run with --exec exit
prematurely on Windows. The problem was related to a program writing
too quickly into a non-blocking socket. A symptom was the message:

NCAT DEBUG: Subprocess ended with exit code 259.

Reported by David Millis. [David]

[Ncat] Fixed a bug that prevented detection of EOF from stdin on
Windows. Reported by Adrian Crenshaw and Andy Zwirko. [David]

[Nsock] WSAEACCES was added to the list of known connect error
codes. This error can happen on Windows when a port is blocked by
Windows Firewall. Thanks to Taemun for reporting this and
investigating.

XML output now only includes host elements for down hosts in verbose
mode. This makes it consistent with the other output formats.

[NSE] Fixed http-enum so it uses the full path name for the
fingerprints file. This prevents it from quitting with an error like
this:

Fixed the parsing of libdnet DLPI interface names that contain more
than one string of digits. Joe Dietz reported that an interface with
the name e1000g0 was causing this error message on Solaris 9:

Warning: Unable to open interface e1000g0 -- skipping it.

[David]

[NSE] Added the function nmap.is_privileged() to tell a script if,
as far as Nmap's concerned, it can do privileged operations. For
instance, this can be used to determine whether a script can open a
raw socket or Ethernet interface. [Kris]

[NSE] Added the function nmap.get_ports() so scripts can iterate
over a host's port table entries matching a given protocol and
state. [Kris, Patrick]

[Ncat] Fixed a handle leak with --exec and --sh-exec on Windows,
found by Jon Greaves. One thread handle was being leaked per child
process invocation. [David]

[NSE]nbstat.nse can now look up the MAC prefix vendor string. Other
scripts can now do the same thing using the
datafiles.parse_mac_prefixes function. [Thomas Buchanan]

Remove the PYTHONPATH and PYTHONHOME variables from the environment
before executing a sub-ndiff if they exist and if Zenmap is running
in a py2app bundle. These variables are set by py2app to point
inside our application bundle. Having them set in the environment
makes Ndiff use the same settings because it is also a Python
application. Deleting the variables is somewhat wrong, because the
user may have set those outside of Zenmap expecting them to be used
with their system-installed Python programs. But this is at least no
worse than before our build system update, because previously py2app
was stomping on the variables anyway. [David]

[Ncat] Fixed a segmentation fault caused by access to freed memory.
It could be triggered by making multiple connections to a server
that was constantly sending in SSL mode, such as:

ncat -l -k --ssl < /dev/zero

This bug was reported by Mak Kolybabi. [David]

[NSE] Moved the smtp-open-relay.nse script out of the "demo"
category after improvements by Duarte Silva. We have now met the
goal of removing all scripts from that category.

[NSE] Fixed a bug which prevented smb-brute from properly detecting
account lockouts, which could lead to lockouts of many accounts on
the target machine. Now smb-brute tries to check the lockout policy
before starting and refuses to run (unless you force it to with the
smblockout variable) if lockouts are enabled or if it locks out an
account. [Ron]

[NSE] Rewrote smb-enum-domains to be more generalized and rely on
library functions which will eventually be shared with
smb-brute. [Ron]

Qualified an assertion to allow zero-byte sends in Nsock. Without
this, an NSE script could cause this assertion failure by doing
socket:send(""):

Added a service probe for Logitech SqueezeCenter command line interface
[Patrik]

Improved PostgreSQL match lines by matching the line of the error to a
specific version [Patrik].

Added a mac_addr_next_hop member to the host tables used in NSE for
scripts which need to know the MAC address of the next hop router
for reaching a target host. [Michael Pattrick, KX].

Removed the nmap_service.exe helper program for smb-psexec, as it
was still being flagged by malware detection even after the
bit-flipping in the next release. In fact, the obfuscation backfired
and caused more false positives! You can now download it from
https://nmap.org/psexec/nmap_service.exe. (The script will remind you
if you run the script and it's not installed.)

Added service probes and UDP payloads for games based on the Quake 2
and Quake 3 engine, submitted by Mak Kolybabi.

[Ncat] Added support for HTTP digest authentication of proxies, as
both client and server. Previously only the less secure basic
authentication method was supported. [Venkat, David]

Improved the MIT Kerberos version detection signatures. [Matt Selsky]

[Ndiff] Show a nicer error message when an input file can't be
loaded. Suggested by Derril Lucci, who also contributed a patch.

[NSE] Added a new library afp.lua which handles the Apple Filing
Protocol (AFP) filesharing system. The library handles
authentication and many other protocol features, and enables the new
afp-path-vuln, afp-brute, and afp-showmount scripts. [Patrik]

[Zenmap] Added a workaround for a Ubuntu Python packaging idiosyncrasy.
As of version python2.6-2.6.4-0ubuntu3, Ubuntu's distutils modifies
self.prefix, a variable we use in the setup.py script. This would
cause Zenmap to look in the wrong place for its configuration files,
and show the dialog "Error creating the per-user configuration
directory" with the specific error "[Errno 2] No such file or
directory: '/usr/share/zenmap/config'". This problem was reported by
Chris Clements, who also helped debug. [David]

Fixed an error that occurred when UDP scan was combined with version
scan. UDP ports would appear in the state "unknown" at the end of
the scan, and in some cases an assertion failure would be raised.
This was an unintended side effect of the memory use reduction
changes in 5.20. The bug was reported by Jon Kibler. [David]

[NSE] Did some simple bit-flipping on the nmap_service.exe program
used by the smb-psexec script, to avoid its being falsely detected
as malware. [Ron]

[NSE] Fixed a bug in http.lua that could lead to an assertion
failure. It happened when there was an error getting the a response
at the beginning of a batch in http.pipeline. The symptoms of the
bug were:

[NSE] Restored the ability of http.head to return a body if the
server returns one. This was lost in the http.lua overhaul from
5.20. [David]

[NSE] Fixed the use of our strict.lua library on distributions that
install their own strict.lua. The error message was

nse_main.lua:97: attempt to call a boolean value

It was reported by Onur K. [Patrick]

Fixed handing of nameserver entries in /etc/resolv.conf so it could
handle entries containing more than 16 bytes, which can occur with
IPv6 addresses. Gunnar Lindberg reported the problem and
contributed an initial patch, then Brandon and Kris refined and
implemented it.

[NSE] Corrected a behavior change in http.request that was
accidentally made in 5.20: it could return nil instead of a table
indicating failure. [David]

[NSE] Fixed the use of an undefined variable in smb-enum-sessions,
reported by Brandon. [Ron]

Fixed a compiler error when --without-liblua is used. [Brandon]

[NSE] Fixed an error with running http-enum.nse along with the
--datadir option. The script would report the error

http-enum.nse:198: bad argument #1 to 'lines'
(nselib/data/http-fingerprints: No such file or directory)

The error was reported by Ron Meldau and Brandon. [Kris]

Added a function that was missing from http-favicon.nse. Its absence
would cause the error

Dramatically improved the version detection database, integrating
2,596 submissions that users contributed since February 3, 2009!
More than a thousand signatures were added, bringing the total to
8,501. Many existing signatures were improved as well. Please keep
those submissions and corrections coming! Nmap prints a submission
URL and fingerprint when it receives responses it can't yet
interpret.

[Ncat] The --ssl, --output, and --hex-dump options now work with
--exec and --sh-exec. Among other things, this allows you to make a
program's I/O available over the network wrapped in SSL encryption
for security. It is implemented by forking a separate process to
handle network communications and relay the data to the
sub-process. [Venkat, David]

Nmap now tries start the WinPcap NPF service on Windows if it is not
already running. This is rare, since our WinPcap installer starts
NPF running at system boot time by default. Because starting NPF
requires administrator privileges, a UAC dialog for net.exe may
appear on Windows Vista and Windows 7 before NPF is loaded. Once
NPF is loaded, it generally stays loaded until you reboot or run
"net stop npf". [David, Michael Pattrick]

The Nmap Windows installer and our WinPcap installer now have an
option /NPFSTARTUP=NO, which inhibits the installer from setting the
WinPcap NPF service to start at system startup and at install-time.
This option only affects silent mode (/S) because existing GUI
checkboxes allow you to configure this behavior during interactive
installation. [David]

[NSE] Replaced our runlevel system for managing the order of script
execution with a much more powerful dependency system. This allows
scripts to specify which other scripts they depend on (e.g. a brute
force authentication script might depend on username enumeration
scripts) and NSE manages the order. Dependencies only enforce
ordering, they cannot pull in scripts which the user didn't
specify. See
https://nmap.org/book/nse-script-format.html#nse-format-dependencies
[Patrick]

[Ncat] For compatibility with Hobbit's original Netcat, The -p
option now works to set the listening port number in listen mode.
So "ncat -l 123" can now be expressed as "ncat -l -p 123"
too. [David]

A new script argument, http.useragent, lets you modify
the User-Agent header sent by NSE from its default of "Mozilla/5.0
(compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)".
Set it to the empty string to disable the User-Agent
entirely. [David, Tom Sellers, Jah]

[Zenmap] The locale setting had been taken from the Windows locale,
which inadvertently made setting the locale with the LANG
environment variable stop working. Now the LANG variable is examined
first, and if that is not present, the system-wide setting is
used. This change allows users to keep Zenmap in its original
English (or any of Zenmap's other languages) even if their system is
set to use a different locale. [David]

[NSE] The http-favicon script is now better at finding "link
rel=icon" tags in pages, and uses that icon in preference to
/favicon.ico if found. If the favicon.uri script arg is given, only
that is tried. Meanwhile, a giant (10 million web servers) favicon
scan by Brandon allowed us to add about 40 more of the most popular
icons to the DB. [David, Brandon]

[NSE] Fixed a bug which kept the nselib/data/psexec subdirectory out
of the Windows packages. We needed to add the /s and /e options to
xcopy in our Visual C++ project file. [David]

[NSE] Overhauled our http library to centralize HTTP parsing and
make it more robust. The biggest user-visible change is that
http.request goes back to returning a parsed result table rather than raw
HTTP data. Also the http.pipeline function no longer accepts the
no-longer-used "raw" option. [David]

Fixed a bug in traceroute that could lead to a crash:

terminate called after throwing an instance of 'std::out_of_range'
what(): bitset::test

It happened when the preliminary distance guess for a target was
greater than 30, the size of an internal data structure. David and
Brandon tracked down the problem.

Fixed compilation of libdnet-stripped on platforms that don't have
socklen_t. [Michael Pattrick]

Added a service probe and match lines for the Logitech/SlimDevices
SqueezeCenter music server. [Patrik Karlsson]

Fixed the RTSPRequest version probe, which was accidentally modified
to say "RTSP/2.0" rather than "RTSP/1.0" in 5.10BETA2. [Matt Selsky]

[NSE] Our http library no longer allows cached responses from a GET
request to be returned for a HEAD request. This could cause problems
with at least the http-enum script. [David]

Fixed a bug in the WinPcap installer: If the "Start the WinPcap
service 'NPF' at startup" box was unchecked and the "Start the
WinPcap service 'NPF' now" box was checked, the second checkbox
would be ignored (the service would not be started now). [Rob
Nicholls]

ntp-info prints the time and configuration variables provided by
an NTP service. It may get such interesting information as the
operating system, server build date, and upstream time server IP
address. See
https://nmap.org/nsedoc/scripts/ntp-info.html . [Richard Sammet]

We performed a memory consumption audit and made changes to
dramatically reduce Nmap's footprint. This improves performance on
all systems, but is particularly important when running Nmap on
small embedded devices such as phones. Our intensive UDP scan
benchmark saw peak memory usage decrease from 34MB to 6MB, while OS
detection consumption was reduced from 67MB to 3MB. Read about the
changes at http://seclists.org/nmap-dev/2009/q4/663. Here are the
highlights:

The size of the internal representation of nmap-os-db was reduced
more than 90%. Peak memory consumption in our OS detection
benchmark was reduced from 67MB to 3MB. [David]

The size of individual Port structures without service scan
results was reduced about 70%. [Pavel Kankovsky]

When a port receives no response, Nmap now avoids allocating a
Port structure at all, so scans against filtered hosts can be
light on memory. [David]

David started a major service detection submission integration
run. So far he has processed submissions since February for the
following services: imap, pop3, afp, sip, printer, transmission,
svnserve, vmware, domain, backdoor, finger, freeciv, hp, imaps, irc,
landesk, netbios-ssn, netsupport, nntp, oracle, radmin, routersetup,
rtorrent, serv-u, shoutcast, ssh, tcpmux, torrent, utorrent, vnc and
ipp. The rest will come in the next release, along with full stats
on the additions.

[NSE] Fixed (we hope) a deadlock we were seeing when doing a
favicon.nse survey against millions of hosts. We now restore all
threads that are waiting on a socket lock when a thread relinquishes
its lock. We expect only one of them to be able to grab the newly
freed lock, and the rest to go back to waiting. [David, Patrick]

[Zenmap] Fixed a crash when filtering with inroute: in scans without
traceroute data. (KeyError: 'hops') [David]

[Ncat] In the Windows version of netrun, we weren't noticing when a
command fails to be executed (when CreateProcess fails). We now see
the return value and close the socket to disconnect the
client. [David]

Added 14 new NSE scripts for a grand total of 72! You can learn
about them all at https://nmap.org/nsedoc/. Here are the new ones:

smb-psexec implements remote process execution similar to the
Sysinternals' psexec tool (or Metasploit's psexec "exploit"),
allowing a user to run a series of programs on a remote machine
and read the output. This is great for gathering information about
servers, running the same tool on a range of system, or even
installing a backdoor on a collection of computers. See
https://nmap.org/nsedoc/scripts/smb-psexec.html [Ron]

dhcp-discover sends out DHCP probes on UDP/67 and displays all
interesting results (or, with verbosity, all results).
Optionally, multiple probes can be sent and the MAC address can be
randomized in an attempt to exhaust the DHCP server's address pool
and potentially create a denial of service condition. See
https://nmap.org/nsedoc/scripts/dhcp-discover.html . [Ron]

db2-info enhances DB2 database instance detection. It provides
detection when version probes fail, but will default to the
version detection probe value if that is more precise. It also
detects the server platform and database instance name. The DB2
version detection port ranges were broadened to 50000-50025 and
60000-60025 as well. [Tom]

Nmap's --traceroute has been rewritten for better performance.
Probes are sent in parallel to individual hosts, not just across all
hosts as before. Trace consolidation is more sophisticated, allowing
common traces to be identified sooner and fewer probes to be sent.
The older traceroute could be very slow (taking minutes per target)
if the target did not respond to the trace probes, and this new
traceroute avoids that. In a trace of 110 hosts in a /24 over the
Internet, the number of probes sent dropped 50% from 1565 to 743,
and the time taken dropped 92% from 95 seconds to 7.6
seconds. Traceroute now uses an ICMP echo request probe if no
working probes against the target were discovered during
scanning. [David]

[Zenmap] After performing or loading a scan, you can now filter
results to just the hosts you are interested in by pressing Ctrl+L
(or the "Filter Hosts" button) to open the host filtering interface.
This makes it easy to select just Linux hosts, or those running a
certain version of Apache, or whatever interests you. You can easily
modify the filter or remove it to see the whole scan again. See
https://nmap.org/book/zenmap-filter.html . [Josh Marlow]

For some UDP ports, Nmap will now send a protocol-specific payload
that is more likely to get a response than an empty packet is. This
improves the effectiveness of probes to those ports for host
discovery, and also makes an open port more likely to be classified
open rather than open|filtered. The ports and payloads are defined
in payload.cc. The ports that have a payload are 7 (echo),
53 (domain), 111 (rpcbind), 123 (ntp), 137 (netbios-ns), 161 (snmp),
177 (xdmcp), 500 (isakmp), 520 (route), 1645 and 1812 (radius),
2049 (nfs), 5353 (zeroconf), and 10080 (amanda). [David]

Integrated 1,349 fingerprints (and 81 corrections) submitted by Nmap
users! They resulted in 342 new fingerprints (a 17% increase),
including Google's Android Linux system for smart phones, Mac OS X
10.6 (Snow Leopard), the Chumby, and a slew number of printers, broadband
routers, and other devices (40 new vendors). See
http://seclists.org/nmap-dev/2009/q4/416 [David]

[NSE] For all the services which are commonly tunneled over SSL
(pop3, http, imap, irc, smtp, etc.), we audited the scripts to
ensure they can support that tunneling. The com.tryssl function
was added for easy SSL detection. See
https://nmap.org/nsedoc/lib/comm.html [Joao]

Nmap now prefers to display the hostname supplied by the user instead
of the reverse-DNS name in most places. If a reverse DNS record
exists, and it differs from the user-supplied name, it is printed
like this:

Ndiff now shows changes in script (NSE) output for each target
host (in both text output format and XML). [David]

We now print output for down hosts, even when doing scanning beyond
just a ping scan. This always prints to XML and grepable output,
and is printed to normal and interactive output in verbose mode. The
format for printing a down host has changed slightly: "Nmap scan
report for 1.1.1.1 [host down]" [David]

Version detection's maximum socket concurrency has been increased
from 10-20 based on timing level to 20-40. This can dramatically
speed up version detection when there are many open ports in a host
group being scanned. [Fyodor]

The Nmap source tarball (and RPMs) now included man page
translations (16 languages so far). Nmap always installs the English
man page, and installs the translations by default. If you only want
some of the translations, set the LINGUAS environmental variable to
the language codes you are interested in (e.g. "es de"). You can
specify the configure option --disable-nls or set LINGUAS to the
empty string to avoid installation of any man page translations. The
RPM always installs them. [David]

Fixed a problem in which the Nmap installer wrongly reported that
the Microsoft Visual C++ 2008 Redistributable Package (vcredist.exe)
failed to install. We had to update a registry key--see
http://seclists.org/nmap-dev/2009/q3/164. [Jah]

Added support for connecting to nameservers over IPv6. IPv6 addresses
can be used in /etc/resolv.conf or with the --dns-servers option. The
parallel reverse DNS resolver still only support IPv4 addresses, but
it can look them up over IPv6. [Ankur Nandwani]

Zenmap now includes ports in the services view whenever Nmap found
them "interesting," whatever their state. Previously they were only
included if the state was "open", "filtered", or "open|filtered",
which led to confusing behavior when a closed port showed up in the
Services column but clicking on the service showed no ports in the
display. [David]

[NSE] Added HTTP pipelining support to the HTTP library and and to
the http-enum, http-userdir-enum, and sql-injection.nse
scripts. Pipelining can increase speed dramatically for scripts
which make many requests.

[NSE] The HTTP library now caches responses from http.get or
http.head so that resources aren't requested multiple times during
the same Nmap run even if several scripts request them. See
http://seclists.org/nmap-dev/2009/q3/733. [Patrick]

[Ncat, Ndiff] The exit codes of these programs now reflect whether
they succeeded. For Ncat, 0 means the connection was successful, 1
indicates a network error, and 2 indicates any other error. For
Ndiff, 0 means the scans were equal, 1 means they were different,
and 2 indicates a runtime error. [David]

[Ncat] In verbose mode, Ncat now prints the number of bytes read and
written after the client connection is terminated. Ncat also now
prints elapsed time. For example, "Ncat finished: 16 bytes sent, 566
bytes received in 8.05 seconds." [Venkat]

[NSE]telnet-brute.nse now uses the unpw database instead of a
hard coded list. [Ron]

[NSE] Scripts that are listed by name with the --script option now
have their verbosity level automatically increased by one. Many
will print negative results ("no infection found") at a higher
verbosity level. The idea is that if you ask for a script
specifically, you are more interested in such results.
[David, Patrick]

Upgraded our Winpcap installer to use the new WinPcap version 4.1.1.
A bug which could prevent proper uninstallation of previous versions
was fixed at the same time. Later we made it set some registry keys
for compatibility with the official Winpcap project installer (see
http://seclists.org/nmap-dev/2009/q4/237). [Rob Nicholls]

[Ncat] Ncat now prints a message like "Connection refused." by
default when a socket error occurs. This used to require -v, but
printing no message at all could make a failed connection look like
success in a case like

[NSE] At debug level 2 or higher (-d2), Nmap now prints all active
scripts (running & waiting) and a backtrace whenever a key is
pressed. This can be quite helpful in debugging deadlocks and other
script/NSE problems. [Patrick]

Nmap now allows you to specify --data-length 0, and that is now the
documented way to disable the new UDP protocol-specific probe
payload feature. [David]

Our Windows packages are now built on Windows 7, though they are
32-bit binaries and should continue to work on Win2K and later.

Fixed a bug that could cause an infinite loop ("Unable to find
listening socket in get_rpc_results") in RPC scan. The loop would
happen when scanning a port that sent no responses, and there was at
least one other port to scan. Thanks to Lionel Cons for reporting
the problem. [David]

[NSE] The dns-zone-transfer and whois script argument table syntax has been
improved so you don't need curly braces.

[NSE]smb-enum-shares.nse now checks whether or not a share is
writable by attempting to write a file (and deleting it if it's
successful). Significantly cleaned up the code, as well. [Ron]

Optimize MAC address prefix lookup by using an std::map rather than
a custom hash table. This increases performance and code simplicity
at the cost of some extra memory consumption. In one test, this
reduced the time of a single target ARP ping scan from 0.59 seconds
to 0.13. [David]

Added -Pn and -sn as aliases for -PN and -sP, respectively. They
will eventually become the recommended and documented way to disable
host discovery (ping scanning) and port scanning. They are more
consistent and also match the existing -n option for disabling
reverse DNS resolution. [David]

Fixed an error in the handling of exclude groups that used IPv4
ranges. Si Stransky reported the problem and provided a number of
useful test cases in http://seclists.org/nmap-dev/2009/q4/276. The
error caused various assertion failures along the lines of

[NSE] Improved the authentication used by the smb-* scripts. Instead of
looking in a bunch of places (registry, command-line, etc) for the
usernames/passwords, a table is kept. This lets us store any number
of accounts for later use, and remove them if they stop working. This
also fixes a bug where typing in a password incorrectly would lock
out an account (since it wouldn't stop trying the account in question).
[Ron]

Removed IP ID matching in packet headers returned in ICMP errors.
This was already the case for some operating systems that are known
to mangle the IDs of sent IP packets. Requiring such a match could
occasionally cause valid replies to be ignored. See
http://seclists.org/nmap-dev/2009/q2/580 for an example of host
order affecting scan results due to this phenomenon. [David]

[NSE] Unexpected error messages from scripts now include the target
host and port number. [David]

[NSE] Fixed many libraries which were inappropriately using global
variables, meaning that multiple scripts running concurrently could
overwrite each others values. NSE now automatically checks for this
problem at runtime, and we have a static code checker
(check_globals) available as well. See this whole thread
http://seclists.org/nmap-dev/2009/q3/70. [Patrick]

Added some additional matching rules to keep a reply to a SYN probe
from matching an ACK probe to the same port, or vice versa, in ping
scans that include both scan types. Such a mismatch could cause an
ineffective timing ping or traceroute probe to be selected. [David]

[Zenmap] There is a new command-line option, --confdir, which sets
the per-user configuration directory. Its value defaults to
$HOME/.zenmap. This was suggested by Jesse McCoppin. [David]

Open bpf devices in read/write mode, not read-only, in libdnet on
BSD. This is to work around a bug in Mac OS X 10.6 that causes
incoming traffic to become invisible. [David]

"make install" now removes from the Nmap script directory some
scripts which only existed in previous versions of Nmap but weren't
deleted during upgrades. [David]

[NSE] Added the reconnect_ssl method for sockets. We sometimes need
to reconnect a socket with SSL because the initial communication on
the socket is done without SSL. See this thread for more details:
http://seclists.org/nmap-dev/2009/q4/3 [Patrick, Tom Sellers]

[Zenmap] Fixed a crash that could occur when entering certain
characters in the target entry (those whose UTF-8 encoding contains
a byte that counts as whitespace in the Windows locale):

File "zenmapGUI\ScanNotebook.pyo", line 184, in _target_entry_changed
File "zenmapCore\NmapOptions.pyo", line 719, in render_string
UnicodeDecodeError: 'utf8' codec can't decode byte 0xc3 in position 1:
unexpected end of data

[NSE] There is a new function, nmap.bind, to set the source address
of a socket. [David]

[Nsock] Made it a fatal error instead of silent memory corruption
when an attempt is made to use a file descriptor whose number is not
less than FD_SETSIZE. This applies only on non-Windows platforms
where FD_SETSIZE is a limit on the value of file descriptors as well
as a limit on the number of descriptors in the set. The error will
look like

nsock_core.c:186: Attempt to FD_SET fd 1024, which is not less
than FD_SETSIZE (1024). Try using a lower parallelism.

Thanks to Brandon Enright for discovering the problem and much help
debugging it, and to Jay Fink for submitting an initial patch. [David]

[Ncat] Fixed proxy connections in connect mode on Windows. Because
the dup function does not work on Windows, an assertion failure
would be raised reading

(fh >= 0 && (unsigned)fd < (unsigned)_nhandle)

[David]

[Ncat] Fixed the combination of --max-conns and --exec on Windows.
The count of connected clients was not decreased when the program
spawned by --exec finished. With --max-conns 5, for example, no more
connections would be allowed after the fifth, even if some of the
earlier ones had ended. Jon Greaves reported the problem and Venkat
contributed a patch.

[Ncat] The code that manages the count of connected clients has been
made robust with respect to signals. The code was contributed by
Solar Designer.

The files read by the -iL (input from file) and --excludefile
options now support comments that start with # and go to the end of
the line. [Tom Sellers]

[Zenmap] On Windows, Zenmap no longer uses the cmd.exe shell to run
Nmap sub-processes. This means that canceling a scan will kill the
Nmap process as it does on other platforms (previously it would just
kill the shell). It also means that that scanning will work as a
user whose name contains characters like '&' that are significant to
the shell. Mike Crawford and Nick Marsh reported bugs related to
this. [David]

[NSE] All scripts (except for those in "version" or "demo"
categories) are now classified in either the "safe" or "intrusive"
categories, based on how likely they are to cause problems when run
against other machines on the network. Those classifications already
existed, but weren't used consistently. [Fyodor]

Added a check for a SMBv2 vulnerability (CVE-2009-3103) to
smb-check-vulns. Due to its nature (it performs a DoS, then checks
if the system is still online), the script isn't run by default and
requires a special script-arg to work. [Ron]

Fixed an integer overflow in uptime calculation which could occur
when a target with a low TCP timestamp clock frequency uses large
timestamp values, such that a naive uptime calculation shows a boot
time before the epoch. Also fixed a printf format specifier mismatch
that was revealed by the bug. Toby Simmons reported the problem and
helped with the fix. [David]

[NSE] The HTTP library now supports HTTP cookies. [Joao Correa]

Fixed a compile error on NetBSD. It was

tcpip.cc:2948: error: pointer of type 'void *' used in arithmetic

Thanks to Jay Fink for reporting the problem and submitting a patch.

[Zenmap] If you have any hosts or services selected, they will
remain selected after aggregating another scan or running a filter
(as long as they are still up and visible). Previously the selection
was lost whenever the scan inventory was changed. This is
particularly important due to the new host filter system. [David]

[Zenmap] New translation: Russian (contributed by Alexander Khodyrev).
Updated translations: French and German.

There is a new OS detection pseudo-test, SCAN.DC, which records how
the network distance in SCAN.DS was calculated. Its value can be "L"
for localhost, "D" for a direct connection, "I" for an ICMP TTL
calculation, and "T" for a traceroute hop count. This is mainly for
the benefit of OS integration, when it is sometimes important to
distinguish between DS=1%DC=I (probably the result of forged TTLs)
and DS=1%DC=D (a true one-hop connection.) [David]

[Ncat] The --idle-timeout option now exits when *both* stdin and the
socket have been idle for the given time. Previously it would exit
when *either* of them had been idle, meaning that the program would
quit contrary to your expectation when downloading a large file
without sending anything, for example. [David]

[Ncat] Ncat now always prefixes its own output messages with "Ncat: "
or "NCAT DEBUG: " to make it clear that they are not coming from the
remote host. This only matters when output goes to a terminal, where
the standard output and standard error streams are mixed. [David]

Nmap's Nbase library now has a new hexdump() function which produces
output similar to Wireshark. nmap_hexdump() is a wrapper which
prints the output using Nmap's log_write facility. The old hdump()
and lamont_dump() functions have been removed. [Luis]

Added explicit casts to (int)(unsigned char) for arguments to ctype function
calls in nmap, ncat and nbase. Thanks to Solar Designer for pointing out
the need and fix for this. [Josh]

Ncat now supports wildcard SSL certificates. The wildcard character
(*) can be in commonname field or in DNS field of Subject
Alternative Name (SAN) Extension of SSL certificate. Matching Rules:

'*' should be only on the leftmost component of FQDN. (*.example.com
but not www.*.com or www.example*.com).

The leftmost component should contain only '*' and it should be
followed by '.' (*.example.com but not *w.example.com or
w*.example.com).

There should be at least three components in FQDN. (*.example.com but
not *.com or *.com.). [venkat]

Nmap now handles the case when a primary network interface (venet0)
does not have an address assigned but its aliases do (venet0:1
etc.). This could result in the error messages

Failed to find device venet0 which was referenced in /proc/net/route
Failed to lookup subnet/netmask for device (venet0): venet0: no IPv4 address assigned

This was observed under OpenVZ. [Dmitry Levin]

[Ncat] The --ssl-cert, --ssl-key, and --ssl-trustfile options now
automatically turn on SSL mode. Previously they were ignored if
--ssl was not also used. [David]

[Nsock] Now Nsock supports pure TLSv1 and SSLv3 servers in addition
to the (already supported and far more common) SSLv2 and SSLv23
servers. Ncat currently never uses SSLv2 for security reasons, so
it is unaffected by this change.

[Ncat] Implemented basic SCTP client functionality (server already
exists). Only the default SCTP stream is used. This is also called
TCP compatible mode. While it allows Ncat to be used for manually
probing open SCTP ports, more complicated services making use of
multiple streams or depending on specific message boundaries cannot
be talked to successfully. [Daniel Roethlisberger]

Nmap now filters received ARP packets based on their target address
address field, not the destination address in the enclosing ethernet
frame. Some operating systems, including Windows 7 and Solaris 10,
are known to at least sometimes send their ARP replies to the
broadcast address and Nmap wouldn't notice them. The symptom of this
was that root scans wouldn't work ("Host seems down") but non-root
scans would work. Thanks to Mike Calmus and Vijay Sankar for
reporting the problem, and Marcus Haebler for suggesting the
fix. [David]

The -fno-strict-aliasing option is now used unconditionally when
using GCC. It was already this way, in effect, because a test
against the GCC version number was reversed: <= 4 rather than >= 4.
Solar Designer reported the problem.

Nmap now prints a warning instead of a fatal error when the hardware
address of an interface can't be found. This is the case for
FireWire interfaces, which have a hardware address format not
supported by libdnet. Thanks to Julian Berdych for the bug report.
[David]

Zenmap's UI performance has improved significantly thanks to
optimization of the update_ui() function. In particular, this speeds
up the new host filter system. [Josh]

Made RPC grinding work from service detection again by changing the
looked-for service name from "rpc" to "rpcbind", the name it has in
nmap-service-probes. Also removed some dead code. [David]

Fixed a log_write call and a pfatal call to use a syntax which is
safer from format strings bugs. This allows Nmap to build with the
gcc -Wformat -Werror=format-security options. [Guillaume Rousse,
Dmitry Levin]

A bug in Nsock was fixed: On systems where a non-blocking connect
could succeed immediately, connections that were requested to be
tunneled through SSL would actually be plain text. This could be
verified with an Ncat client and server running on localhost. This
was observed to happen with localhost connections on FreeBSD 7.2.
Non-localhost connections were likely not affected. The bug was
reported by Daniel Roethlisberger. [David]

Ncat proxy now hides the proxy's response ("HTTP/1.0 200 OK" or
whatever it may be). Before, if you retrieved a file through a
proxy, it would have the "HTTP/1.0 200 OK" stuck to the top of
it. For this Ncat uses blocking sockets until the proxy negotiation
is done and once it is successful, Nsock takes over for rest of the
connection.[Venkat]

[NSE] Fixed a rare but possible segfault which could occur if the
nsock binding attempted to push values on the stack of a thread
which had already ended due to an error, and if that internal Lua
stack was already completely full. This bug is very hard to
reproduce with a SEGFAULT but is usually visible when Lua assertion
checks are turned on. A socket handler routine must be called AFTER
a thread has ended in error. [Patrick]

[Ncat] Fixed an error that would cause Ncat to use 100% CPU in
broker mode after a client disconnected or a read error happened.
[Kris, David]

[NSE] --script-args may now have whitespace in unquoted strings (but
surrounding whitespace is ignored). For example,
--script-args 'greeting = This is a greeting' Becomes:
{ ["greeting"] = "This is a greeting" } [Patrick]

[Ncat] Using --send-only in conjunction with the plain listen or
broker modes now behaves as it should: nothing will be read from the
network end. Ncat previously read and discarded any data
received. [Kris]

[Nsock] Added a socket_count abstraction that counts the number of
read or write events pending on a socket, for the purpose of
maintaining an fd_set. The bit is set in the fd_set whenever the
count is positive, and cleared when it is zero. The reason for doing
this was that write bits were not being properly cleared when using
Ncat with SSL in connect mode, such that a client send would cause
Ncat to use 100% CPU until it received something from the
server. See the thread at
http://seclists.org/nmap-dev/2009/q2/0413.html . This change will
also make it easier to use a different back end than select in the
future. [David]

Fixed a logic error in getinterfaces_siocgifconf. The check for
increasing the capacity of the list of interfaces was off by
one. This caused a crash on initialization for systems with more
than 16 network interfaces. [David]

Added Apache JServe protocol version detection probe and signatures
and some some other nmap-service-probes patches. [Tom Sellers]

Fixed two memory leaks in ncat_posix.c and a bug where an open file was not
being closed in libdnet-stripped/src/intf.c [Josh Marlow]

The configure script now allows cross-compiling by assuming that
libpcap is recent enough to use rather than trying to compile and
run a test program. Libpcap will always be recent enough when Nmap's
included copy is used. [Mike Frysinger]

[Zenmap] Fixed a display hanging problem on Mac OS X reported by
Christopher Caldwell at
http://seclists.org/nmap-dev/2009/q2/0721.html . This was done by
adding gtk2 back to macports-1.8.0-universal.diff and removing the
dependency on shared-mime-info so it doesn't expect /usr/share/mime
files at runtime. Also included GDK pixbuf loaders statically rather
than as external loadable modules. [David]

Fixed a memory bug (access of freed memory) when loading exclude
targets with --exclude. This was reported to occasionally cause a
crash. Will Cladek reported the bug and contributed an initial
patch. [David]

Zenmap application icons were regenerated using the newer SVG
representation of the Nmap eye. [David]

The host discovery (ping probe) defaults have been enhanced to
include twice as many probes. The default is now "-PE -PS443 -PA80
-PP". In exhaustive testing of 90 different probes, this emerged as
the best four-probe combination, finding 14% more Internet hosts
than the previous default, "-PE -PA80". The default for non-root
users is -PS80,443, replacing the previous default of -PS80. In
addition, ping probes are now sent in order of effectiveness (-PE
first) so that less effective probes may not have to be sent. ARP
ping is still the default on local ethernet networks. [David,
Fyodor]

Added SCTP port scanning support to Nmap. SCTP is a layer 4 protocol
used mostly for telephony related applications. This brings the
following new features:

[NSE]http-open-proxy.nse has been updated to attempt HEAD and
CONNECT methods as well as previously supported GET method. It
still tries to reach http://www.google.com through the proxy by
default, but now also offers an argument for specifying a different
URL. [Joao Correa]

[Ncat] There is a backwards-incompatible change in the way that
listen mode works. The new default behavior is to accept only one
connection, and quit when the connection ends. This was necessary to
prevent data loss in some situations; some programs require Ncat to
send an EOF before they flush their internal buffers and finish
processing the last bit of data. See
http://seclists.org/nmap-dev/2009/q2/0528.html for more information.
Use the new -k or --keep-open option to get the old behavior, in
which Ncat will accept multiple simultaneous connection, combine all
their input, and accept more connections after a disconnection.
[Daniel Roethlisberger, David]

Ncat handling of newlines on Windows has been improved. CRLF is
automatically converted to a bare LF when input is from the console,
but left untouched when it is from a pipe or a file. No newline
translation is done on output (where it was being done before). This
makes it possible to transfer binary files with Ncat on Windows
without any corruption, while still being able to interactively ncat
into UNIX shells and other processes which require bare
newlines. Ncat clients now work the same way on UNIX and Windows in
that respect. For cases where you do want \r\n line endings (such
as connections to web and email servers or Windows cmd.exe shells),
specify -C whether your client is running on UNIX or
Windows. [David]

Nmap RPM packages (x86 and x86-64) are now built with OpenSSL
support (statically linked in to avoid dependencies). They are also
now built on CentOS 5.3 for compatibility with RHEL, Fedora, and
other distributions. Please let us know if you discover any
compatibility problems (or other issues) with the new RPMs. [Fyodor]

[Zenmap] The Topology tab now has a "Save Graphic" button that
allows saving the current topology display as a PNG, postscript,
PDF, and SVG image. [Joao Medeiros, David]

Changed the default UDP ping (-PU) port from 31338 to 40125. This
appears to be a better port based on David's empirical testing.

Zenmap now works on RHEL/CentOS since it no longer requires the
hashlib library (which was introduced in Python 2.5, but RHEL 5
still uses 2.4) and removing the pysqlite2 requirement (RHEL does
not offer that module). It is still desirable to have pysqlite2
when available, since it enables Zenmap searching and database
saving features. [David]

Ncat can now send SSL certificates in connect mode for client
authentication by using the --ssl-cert and --ssl-key options. The
specified certificates are only sent when requested by the
server. [Venkat]

Nmap can now handle -PS and -PA at the same time when running nmap
as non-root or using IPv6. It now combines the two port lists [Josh
Marlow]

[Ncat] SSL in listen mode now works on systems like BSD in which a
socket inherits its blocking or non-blocking status from the
listening socket. [David, Daniel Roethlisberger]

The --packet-trace/--version-trace options now shows the names of
version detection probes as they are sent, making the version
detection process easier to understand and debug. [Tom Sellers]

The GPG detached signatures for Nmap releases now use the more
standard .asc extension rather than .gpg.txt. They can still be
found at https://nmap.org/dist/sigs/ and the .gpg.txt versions for
previous releases are still available for compatibility reasons. For
instructions on verifying Nmap package integrity, see
https://nmap.org/book/install.html#inst-integrity. [Fyodor]

[Zenmap] Fixed two bugs: 1) When two scans are performed in Zenmap
and aggregated, the first one was being modified in the process,
preventing you from doing diffs in the "compare scans" dialogue or
properly saving the first scan individually. 2) If you start two
scans, then the faster one finishes and you cancel and remove the
slower one while still in progress, much of the results from both
scans are lost. [Josh Marlow]

[NSE] Clean up output (generally reducing default verbosity) for the
p2p-conficker, smb-check-vulns, and http-iis-webdav-vuln scripts. In
general, we don't ask scripts to report that a host is clean unless
Nmap's verbosity level (-v) is at least one or two. [Ron, Fyodor]

[Zenmap] Added the -PS22,25,80 option found in the Quick Traceroute
profile to some of the Intense scan profiles for improved host
discovery. [Josh Marlow]

[Ndiff] Avoid printing a "Not shown:" line if there weren't any
ports in the non-shown (extraports) list. [David]

[Ncat] Fixed Ncat compilation with versions of OpenSSL before 0.9.7.
Previously it would fail in ncat_openssl.c with the message
"structure has no member named `it'". The problem was reported by
Jaroslav Fojtik. [David]

[NSE] Removed the packet.hextobin(str) and packet.bintohex(str)
functions. They are redundant since you get the same functionality
by calling bin.pack("H", str) and bin.unpack("H", str),
respectively. [Patrick]

[NSE] Fixed the parsing of --script-args, which was only accepting
alphanumeric characters and underscores in values. Now a key, value,
or array value may be a sequence of any characters except '{', '}',
',', '=', and all space characters. You may overcome this
restriction by using quotes (single or double) to allow all
characters within the quotation marks. You may also use the quote
delimiter inside the sequence so long as it is escaped by a
backslash. See
http://seclists.org/nmap-dev/2009/q2/0211.html . [Patrick]

[NSE] When a script ends for any reason, all of its mutexes are now
unlocked. This prevents a permanent (and painful to debug) deadlock
when a script crashes without unlocking a mutex. See
http://seclists.org/nmap-dev/2009/q2/0533.html . [Patrick]

Fixed a bug wherein nmap would not display the post-scan count of
raw packets sent during a SYN ping scan (-sP -PS). [Josh Marlow]

Changed the ICMP ping probes to use a random non-zero ICMP id.
David's empirical testing found that some hosts drop probes when the
ICMP id is 0 [Josh Marlow]

[NSE] Fixed a --script argument processing bug in which Nmap would
abort when an expression matches a set of scripts which were loaded
by other expressions first (a simple example is "--script
default,DEFAULT". [Patrick]

[Zenmap] Operating system icons are now always loaded as PNGs, even on
platforms which support SVG images. That is much faster, and Zenmap
currently never scales the images anyway. [Josh]

[Ncat] The Nmap Windows uninstaller now removes the Ncat CA list
(ca-bundle.crt) which has been installed since 4.85BETA9. [Jah]

[NSE] Upon connection failure, a socket now immediately unlocks its
"socket lock" to allow other pending socket connections to succeed
sooner. This slightly improves scan speeds by eliminating the wait
for garbage collection to free the resource. [Patrick]

[NSE] Corrected a bug in nse_nsock.cc that could result in a crash
from the use of an invalid Lua state if a thread is collected due to
timeout or other rare reasons. Essentially, the callbacks from the
nsock library were returning to an already-collected Lua state. We
now maintain a reference to the Lua State Thread in the nsock
userdata environment table to prevent early collection. This is a
temporary patch for the stable release pending a more detailed
review of the NSE nsock library binding. [Patrick]

[NSE] When an NSE script in the database (script.db) is requested
but not found on the filesystem, Nmap now prints a warning rather
than aborting. We accidentally shipped with such a phantom script
(smb-check-vulns-2.nse) in 4.85BETA8. [Patrick]

Fixed a bug where an ICMP echo, timestamp, or address mask reply
could be matched up with the wrong ICMP probe if more than one ICMP
probe type was being sent (as with the new default ping). This lead
to timing calculation problems. [David]

[Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when
searching scan results by date. [David]
The error message was: File "zenmapGUI\SearchGUI.pyo", line 816, in
set_date TypeError: argument must be sequence of length 9, not 3

Patched configure.ac to detect Lua include and library files in
"lua5.1" subdirectories of /usr/include and the like. Debian
apparently puts them there. We still check the likes of
/usr/include/lua.h and /usr/include/lua/lua.h as well. [Jan
Christoph Nordholz]

Improved nsock's fselect() to be a more complete replacement for
select() on the Windows platform. In particularly, any or all of the
FD sets can be null or empty descriptor sets. This fixes an error
("nsock_loop error 10022") which would occur when you ran ncat
--send-only on Windows. [David]

The --with-openssl= directive now works for specifying the SSL
location to the nsock library. It was previously not passing the
proper include file path to the compiler. [Fyodor]

The --traceroute feature is now properly disabled for IPv6 ping
scans (-6 -sP) since IPv6 traceroute is not currently
supported. [Jah]

Nmap's make install target now uses $(INSTALL) rather than cp to
copy NSE scripts and libraries to ensure that file permissions are
set properly. [Fyodor]

Improved the Oracle DB version detection signatures. [Tom Sellers]

[NSE] Remove the old nse_macros.h header file. This involved
removing the SCRIPT_ENGINE_* status defines, moving the likes of
SCRIPT_ENGINE_LUA_DIR to nse_main.h, removing the last remaining use
of SCRIPT_ENGINE_TRY, and moving the FILES and DIRS defines to
nse_fs.h. [Patrick]

Cleaned up the libpcre build system a bit by removing Makefile.am
and modifying configure.ac to prevent unnecessary removal of
pcre_chartables.cc in some instances. [Fyodor]

Fixed a bug which would cause Nmap to sometimes miscount the number
of hosts scanned and produce warnings such as "WARNING: No targets
were specified, so 0 hosts scanned" when --traceroute and -sP were
combined. [Jah]

Changed Nmap and Ncat's configure.ac files to check in more
situations whether -ldl is required for compilation and add it where
necessary. [Fyodor]

When building Nmap RPMs using the spec file, you can now pass in an
openssl argument, the contents of which are passed to ./configure's
--with-openssl option. So you can pass rpmbuild an option such as
--define "openssl /usr/local/ssl". [Fyodor]

Fixed the make distclean target to avoid a failure which could occur
when you ran it right after a make clean (it might have failed in
other situations as well). [David]

Ncat now makes sockets blocking before handing them off to another
program with --exec or --sh-exec. This is to resolve a failure where
the command "ncat --exec /usr/bin/yes localhost" would stop sending
because yes would send data so quickly that kernel send buffers
could not keep up and socket writes would start generating EAGAIN
errors. [Venkat]

Ncat now ignores SIGPIPE in listen mode. This fixes the command
"yes | ncat -l --keep-open --send-only", which was failing after the
first client disconnected due to a broken pipe signal when Ncat
would try to write more date before realizing that the client had
closed the connection.

Integrated all of your 1,156 of your OS detection submissions and
your 50 corrections since January 8. Please keep them coming! The
second generation OS detection DB has grown 14% to more than 2,000
fingerprints! That is more than we ever had with the first system.
The 243 new fingerprints include Microsoft Windows 7 beta, Linux
2.6.28, and much more. See
http://seclists.org/nmap-dev/2009/q2/0335.html . [David]

[Ncat] A whole lot of work was done by David to improve SSL
security and functionality:

Ncat now does certificate domain and trust validation against
trusted certificate lists if you specify --ssl-verify.

[Ncat] To enable SSL certificate verification on systems whose
default trusted certificate stores aren't easily usable by
OpenSSL, we install a set of certificates extracted from Windows
in the file ca-bundle.crt. The trusted contents of this file are
added to whatever default trusted certificates the operating
system may provide. [David]

Ncat now automatically generates a temporary keypair and
certificate in memory when you request it to act as an SSL server
but you don't specify your own key using --ssl-key and --ssl-cert
options. [David]

[Ncat] In SSL mode, Ncat now always uses secure connections,
meaning that it uses only good ciphers and doesn't use
SSLv2. Certificates can optionally be verified with the
--ssl-verify and --ssl-trustfile options. Nsock provides the
option of making SSL connections that prioritize either speed or
security; Ncat uses security while version detection and NSE
continue to use speed. [David]

[NSE] Added Boolean Operators for --script. You may now use ("and",
"or", or "not") combined with categories, filenames, and wildcarded filenames
to match a set files. Parenthetical subexpressions are allowed for
precedence too. For example, you can now run:

nmap --script "(default or safe or intrusive) and not http-*" scanme.nmap.org

[Zenmap] The command wizard has been removed. The profile editor has
the same capabilities with a better interface that doesn't require
clicking through many screens. The profile editor now has its own
"Scan" button that lets you run an edited command line immediately
without saving a new profile. The profile editor now comes up
showing the current command rather than being blank. [David]

[Zenmap] Added an small animated throbber which indicates that a
scan is still running (similar in concept to the one on the
upper-right Firefox corner which animates while a page is
loading). [David]

Regenerate script.db to remove references to non-existent
smb-check-vulns-2.nse. This caused the following error messages when
people used the --script=all option: "nse_main.lua:319:
smb-check-vulns-2.nse is not a file!" The script.db entries are now
sorted again to make diffs easier to read. [David, Patrick]

Fixed --script-updatedb on Windows--it was adding bogus backslashes
preceding file names in the generated script.db. Reported by
Michael Patrick at http://seclists.org/nmap-dev/2009/q2/0192.html,
and fixed by Jah. The error message was also improved.

The official Windows binaries are now compiled with MS Visual C++
2008 Express Edition SP1 rather than the RTM version. We also now
distribute the matching SP1 version of the MS runtime components
(vcredist_x86.exe). A number of compiler warnings were fixed
too. [Fyodor,David]

Fixed a bug in the new NSE Lua core which caused it to round
fractional runlevel values to the next integer. This could cause
dependency problems for the smb-* scripts and others which rely on
floating point runlevel values (e.g. that smb-brute at runlevel 0.5
will run before smb-system-info at the default runlevel of 1).

The SEQ.CI OS detection test introduced in 4.85BETA4 now has some
examples in nmap-os-db and has been assigned a MatchPoints value of
50. [David]

[Ncat] When using --send-only, Ncat will now close the network
connection and terminate after receiving EOF on standard input.
This is useful for, say, piping a file to a remote ncat where you
don't care to wait for any response. [Daniel Roethlisberger]

[NSE] Made hexify in nse_nsock.cc take an unsigned char * to work
around an assertion in Visual C++ in Debug mode. The isprint,
isalpha, etc. functions from ctype.h have an assertion that the
value of the character passed in is <= 255. If you pass a character
whose value is >= 128, it is cast to an unsigned int, making it a
large positive number and failing the assertion. This is the same
thing that was reported in
http://seclists.org/nmap-dev/2007/q2/0257.html, in regard to
non-ASCII characters in nmap-mac-prefixes. [David]

[NSE] Fixed a segmentation fault which could occur in scripts which
use the NSE pcap library. The problem was reported by Lionel Cons
and fixed by Patrick.

[NSE] Port script start/finish debug messages now show the target
port number as well as the host/IP. [Jah]

Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in
addition to the CONNECT tunneling method, so it can be used as a
proxy with an ordinary web browser.[David]

Ncat can now run as an authenticated proxy in HTTP proxy mode. Use
--proxy-auth to provide a username and password that will be required
of proxy users. Only the insecure (not encrypted) Basic authentication
method is supported. [David]

Ndiff's text output has been redone to look more like Nmap output
and be easier to read. See the Ndiff README file for an example. The
XML output is now based on Nmap's XML output as well. Zenmap's diff
viewer now shows the new output with syntax highlighting. [David]

The new versions of the Conficker Internet worm ban infected systems
from visiting Insecure.Org and Nmap.Org. We take that as a
compliment to the effectiveness of our remote Conficker scanner.
They also ban DNS substrings "honey" (for the Honeynet Project),
"doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable
Security, "coresecur" for Core Security Technologies, and
"iv.cs.uni" for those meddlesome (to the Conficker authors)
researchers at the University of Bonn. For people who can't reach
nmap.org due to infection, I've mirrored this release at
http://sectools.org/nmap/. [Fyodor]

New Conficker versions eliminate the loophole we were using to
detect them with smb-check-vulns,nse, so we've added new methods
which work with the newest variants. Here are the Conficker-related
improvements since BETA7:

Since new Conficker variants prevent detection by our previous
MSRPC check in smb-check-vulns, we've added a new check which still
works. It involves calling netpathcanonicalize on "\" rather than
"\..\" and checking for a different return value. It was discovered
by Felix Leder and Tillmann Werner. [Ron]

[Ndiff] The setup.py installation script now suggests installing the
python-dev package in a certain error situation. Previously the
error message it printed was misleading:

error: invalid Python installation: unable to open
/usr/lib/python2.6/config/Makefile (No such file or directory)

The change was suggested by Aaron Leininger. [David]

[Nbase] The checksum functions now have an nbase_ prefix. This
should prevent name collisions with internal but exported functions
in shared libraries Nmap links against (e.g. adler32() in zlib).
Such collisions seem to confuse the runtime linker on some platforms.
[Daniel Roethlisberger]

Fixed banner.nse to remove surrounding whitespace from banners. For
example, this avoids a superfluous carriage return and newline at the
end of SSH greetings. [Patrick]

Expanded and tweaked the product/version/info of service scans in an
attempt to reduce the number of warnings like "Warning: Servicescan
failed to fill info_template...". Parts of this change include:

Improved the text of the warning to be less confusing

Increased the internal version info buffer to 256 chars from 128

Increased the final version string length to 160 from 128 chars

Changed the behavior when constructing the final version string so
that if it runs out of space, rather than dropping the output of that
template it truncates the template with ...

Fixed the printing of unneeded spaces between templates when one of the
templates isn't going to be printed at all.

[Brandon]

Improved the service scan DB to remove certain problematic regex
patterns which could lead to PCRE_MATCHLIMIT errors. For example,
instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to
".*" as long as the DOTALL (/s) modifier was set. [Brandon]

Changed some error() calls (which were more informational than error
messages) to use log_write() instead, and changed a few f?printf()
calls into error() or log_write(). [Brandon]

[Ncat] Fixed a bug in the resolve() function which could cause Ncat
to resolve names using the wrong address family (such as AF_INET
rather than AF_INET6) in some rare cases. [Daniel Roethlisberger]

[Zenmap] Worked around a GTK+ bug on Windows reported by Henry Nymann.
It caused a crash when opening the Hosts Viewer on a host that had OS
information. A window appeared saying simply "Runtime Error!". [David]

[Zenmap] Gracefully handle unrecognized port states in the hosts
viewer. Apparently old versions of Nmap can return a state of
"unknown". This prevents this crash:

Rewrote the debugging error message "Found whacked packet protocol
17 in get_ping_pcap_result" because we decided that receiving a UDP
packet during TCP ping scan is not egregious enough to qualify as
"whacked". [David]

Reduce false negative rate. We (and all the other scanners) used
to require the 0x57 return code as well as a canonicalized path
string including 0x5c450000. Tenable confirmed an infected system
which returned a 0x00000000 path, so we now treat any hosting
returning code 0x57 as likely infected. [Ron]

Add workaround for crash in older versions of OpenSSL which would
occur when we received a blank authentication challenge string
from the server. The error looked like: evp_enc.c(282): OpenSSL
internal error, assertion failed: inl > 0". [Ron]

Add helpful text for the two most common errors seen in the
Conficker check in smb-check-vulns.nse. So instead of saying
things like "Error: NT_STATUS_ACCESS_DENIED", output is like:
| Conficker: Likely CLEAN; access was denied.
| | If you have a login, try using --script-args=smbuser=xxx,smbpass=yyy
| | (replace xxx and yyy with your username and password). Also try
| |_ smbdomain=zzz if you know the domain. (Error NT_STATUS_ACCESS_DENIED)
The other improved message is for
NT_STATUS_OBJECT_NAME_NOT_FOUND. [David]

A copy of the Nmap public svn repository (/nmap, plus its zenmap,
nsock, nbase, and ncat externals) is now available at
https://nmap.org/svn/. We'll be updating this regularly, but it may
be slightly behind the SVN version. This is particularly useful
when you need to link to files in the tree, since browsers generally
don't handle svn:// repository links. [Fyodor]

Fixed some bugs with the Conficker detection script
(smb-check-vulns) [Ron]:

SMB response timeout raised to 20s from 5s to compensate for
slow/overloaded systems and networks.

MSRPC now only signs messages if OpenSSL is available (avoids an
error).

Better error checking for MS08-067 patch

Fixed forgotten endian-modifier (caused problems on big-endian
systems such as Solaris on SPARC).

Host status messages (up/down) are now uniform between ping scanning
and port scanning and include more information. They used to vary
slightly, but now all look like

Host <host> is up (Xs latency).
Host <host> is down.

The new latency information is Nmap's estimate of the round trip
time. In addition, the reason for a host being up is now printed for
port scans just as for ping scans, with the --reason option. [David]

Version detection now has a generic match line for SSLv3 servers,
which matches more servers than the already-existing set of specific
match lines. The match line found 13% more SSL servers in a test.
Note that Nmap will not be able to do SSL scan-through against a
small fraction of these servers, those that are SSLv3-only or
TLSv1-only, because that ability is not yet built into Nsock. There
is also a new version detection probe that works against SSLv2-only
servers. These have shown themselves to be very rare, so that probe
is not sent by default. Kristof Boeynaems provided the patch and did
the testing.

[Zenmap] A typo that led to a crash if the ndiff subprocess
terminated with an error was fixed. [David] The message was

File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
UnboundLocalError: local variable 'error_test' referenced before assignment

The text could be different, because the error was caused by
translating a string that was also being used as an index into an
internal data structure. The string will be untranslated until that
part of the code can be rewritten. [David]

[Zenmap] A bug was fixed that caused a crash when doing a keyword:
or target: search over hosts that had a MAC address. [David]
The crash output was

File "zenmapCore\SearchResult.pyo", line 86, in match_keyword
File "zenmapCore\SearchResult.pyo", line 183, in match_target
TypeError: argument of type 'NoneType' is not iterable

Fixed a bug which prevented all comma-separated --script arguments
from being shown in Nmap normal and XML output files where they show
the original Nmap command. [David]

Fixed ping scanner's runtime statistics system so that instead of
saying "0 undergoing Ping Scan" it gives the actual number of hosts in
the group (e.g. 4096). [David]

[Zenmap] A crash was fixed in displaying the "Error creating the
per-user configuration directory" dialog:

File "zenmap", line 104, in <module>
File "zenmapGUI\App.pyo", line 129, in run
UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
invalid data

The crash would only happen to users with paths containing
multibyte characters in a non-UTF-8 locale, who also had some error
preventing the creation of the directory. [David]

Ron (in just a few hours of furious coding) added remote detection
of the Conficker worm to smb-check-vulns. It is based on new
research by Tillmann Werner and Felix Leder. You can scan your
network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
-v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

Ndiff now includes service (version detection) and OS detection
differences. [David]

[Ncat] The --exec and --sh-exec options now work in UDP mode like
they do in TCP mode: the server handles multiple concurrent clients
and doesn't have to be restarted after each one. Marius Sturm
provided the patch.

[Ncat] The -v option (used alone) no longer floods the screen with
debugging messages. With just -v, we now only print the most
important status messages such as "Connected to ...", a startup
banner, and error messages. At -vv, minor debugging messages are
enabled, such as what command is being executed by --sh-exec. With
-vvv you get detailed debugging messages. [David]

[Ncat] Chat mode now lets other participants know when someone
connects or disconnects, and it also broadcasts a current list of
participants at such times. [David]

[Ncat] Fixed a socket handling bug which could occur when you
redirect Ncat stdin, such as "ncat -l --chat < /dev/null". The next
user to connect would end up with file descriptor 0 (which is
normally stdin) and thus confuse Ncat. [David]

[Zenmap] The "Scan Output" expanders in the diff window now behave
more naturally. Some strange behavior on Windows was noted by Jah.
[David]

The following OS detection tests are no longer included in OS
fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
and SI were found not be helpful in distinguishing operating systems
because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
but now they are not included in prints at all. [David]

The compile-time Nmap ASCII dragon is now more ferocious thanks to
better teeth alignment. [David]

Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI
test that could cause a closed-port IP ID to be written into the
array for the SEQ.TI test and cause erroneous results. The bug was
found and fixed by Guillaume Prigent.

Nbase has grown routines for calculating Adler32 and CRC32C
checksums. This is needed for future SCTP support. [Daniel
Roethlisberger]

[Zenmap] Zenmap no longer shows an error message when running Nmap
with options that cause a zero-length XML file to be produced (like
--iflist). [David]

[Zenmap] We now give the --force option to setup.py for installation
to ensure that it replaces all files. [David]

Nmap's --packet-trace, --version-trace, and --script-trace now use
an Nsock trace level of 2 rather than 5. This removes some
superfluous lines which can flood the screen. [David]

[Zenmap] Fixed a crash which could occur when loading the help URL
if the path contains multibyte characters. [David]

[Ncat] The version number is now matched to the Nmap release it came
with rather than always being 0.2. [David]

Fixed a strtok issue between load_exclude and
TargetGroup::parse_expr that caused only the first exclude on
a line to be loaded as well as an invalid read into free()'d
memory in load_exclude(). [Brandon, David]

NSE's garbage collection system (for cleaning up sockets from
completed threads, etc.) has been improved. [Patrick]

smb-pwdump.nse: Uses executables from the Pwdump6 project to dump
password hashes from a remote machine (and optionally crack them
with Rainbow Crack). Pwdump6 files have to be downloaded
separately

[Ncat] The --exec and --sh-exec options now work on Windows. This
was a big job, considering that Windows doesn't even have a fork()
call and has all sorts of socket idiosyncrasies. [David]

Doug performed one of the largest version detection integration runs
ever, processing 1,746 submissions and 18 corrections. We are now
current with all submissions up to February 3. Keep them coming.
The version detection database has grown to 5,476 signatures for 510
application protocols. Doug posted his notes on the integration at
http://hcsw.org/blog.pl/37. We now have 1,868 http server
signatures, and the number of gopher signatures has bumped up from 5
to 6.

Released the new Ncat guide which contains practical real-life Ncat
usage examples for Ncat's major features. It complements the more
option-centric man page. Read it here: https://nmap.org/ncat/guide/
[David, Fyodor]

Ndiff is now included in the Windows zip distribution. For space
reasons, it is not an executable compiled with py2exe as in the
executable installer, rather it is the Ndiff source code (ndiff.py)
and a batch file wrapper (ndiff.bat). Because it's not precompiled,
it's necessary to have a Python interpreter installed. [David]

The new --stats-every option takes a time interval that controls how
often timing status updates are printed. It's intended to be used
when Nmap is run by another program as a subprocess. Thanks to
Aleksandar Petrinic for the initial implementation. [David]

[NSE] A new function stdnse.sleep allows a script to sleep for a
given time (and yield control to other scripts). [David]

[Ncat] In --chat mode (formerly --talk), the server now announces to
everyone when someone connects or disconnects. Besides letting you
know who's connected, this also informs you of your "user name" as
soon as you connect. [David]

[Ncat] Ncat now works interactively on Windows. Before,
peculiarities in the way Windows handles reading from the keyboard
meant that typing interactively into Ncat would cause it to quit
with a write timeout. [David]

Refactored SMB and MSRPC NSE scripts significantly, moving much of
the code into the smb.lua and msrpc.lua modules where it can be
leveraged by other scripts. For example, the user enumeration
functions are used by smb-brute.nse. [Ron Bowes]

[Ncat] The syntax accepted by the --allow, --deny, --allowfile, and
--denyfile options is now the same as Nmap's target specifications.
Additionally any errors in the allow or deny specifications are
reported when the program starts, not deferred until a connection is
received. [David]

You can now use '-' by itself in a target IP specification to mean
0-255, so you could scan 192.168.-.-. An asterisk can also still be
used as an octet wildcard, but then you have to deal with shell
escaping on many platforms. [David]

Nmap was discovered in another movie! In the Russian film
Khottabych, teenage hacker Gena uses Nmap (and telnet) to hack
Microsoft. In response, MS sends a pretty female hacker to flush
him out. More details and screenshots: https://nmap.org/movies/#khottabych .

Improved operating system support for the smb-enum-sessions NSE
script; previous revisions worked on Windows 2003 or Windows 2000,
but never both. Currently, it is tested and working on both
versions. [Ron Bowes]

Implemented file-management functions in SMB, including file upload,
file download, and file delete. Only leverages by smb-pwdump.nse at
the moment, these functions give scripts the ability to perform
checks against the filesystem of a server. [Ron Bowes]

[Zenmap] A crash was fixed that occurred when you ran a scan
that didn't produce any host output (like "nmap --iflist") and then
tried to remove it from the inventory. [David]
The crash looked like

ValueError: list.remove(x): x not in list

[Ncat] In --chat mode, the server escapes potentially dangerous
control characters (in octal) before sending them to
clients. [David]

[Ndiff] Added a workaround for a bug in PyXML. The bug would cause a
crash that looked like "KeyError: 0". [David]

[Zenmap] Fixed a crash when something that looked like a format
specifier (like %y) appeared in a profile. The error message was

ValueError: unsupported format character 'y' (0x79)

[David]

A bug was fixed in route finding on BSD Unix. The libdnet function
addr_stob didn't handle the special case of the sa_len member of
struct sockaddr being equal to 0 and accessed unrelated memory past
the end of the sockaddr. A symptom of this was the fatal error

nexthost: failed to determine route to ...

which was caused by the default route being assigned a netmask other
than 0.0.0.0. [David]

Added bindings for the service control (SVCCTL) and at service (ATSVC)
services. These are both related to running processes on the remote
system (identical to how PsExec-style scripts work). These bindings
are used by smb-pwdump.nse. [Ron Bowes]

Refactored SMB authentication code into its own module, smbauth.lua.
Improved scripts' ability to store and retrieve login information
discovered by modules such as smb-brute.nse. [Ron Bowes]

Added message signing to SMB. Connections will no longer fail if the
server requires message signatures. This is a rare case, but comes up
on occasion. If a server allows but doesn't require message signing,
smb.lua will negotiate signing. This improves security by preventing
man in the middle attacks. [Ron Bowes]

Fixed the daytime.nse script to work for UDP again (it was checking
a "proto" field when the field name is actually "protocol"). [Jah]

Implemented extended security negotiations in the NSE SMB
module. Creates no noticeable change from the user's perspective,
but it's a more modern protocol. [Ron Bowes]

[Zenmap] Removed some unnecessary (mostly GTK+-related) files from
the Windows installer--nmap-4.85BETA4-setup.exe is now smaller than
it has ever been since Nmap 4.22SOC6, which was released in August
2007! [David]

Fixed the install-zenmap make target for Solaris portability.
Solaris /bin/sh does not have test(1) -e. [Daniel Roethlisberger]

Version detection used to omit the "ssl/" service name prefix if an
SSL-tunneled port didn't respond to any version probes. Now it keeps
"ssl/" as an indication that SSL was discovered, even if the service
behind it wasn't identified. Kristof Boeynaems reported the problem
and contributed a patch. [David]

[Ncat] The --talk option has been renamed --chat. --talk remains as an
undocumented alias.

There is a new OS detection test named SEQ.CI. Like TI and II, CI
classifies the target's IP ID sequence generation algorithm. CI is
based on the responses received to the probes sent to a closed port.
The algorithm for closed ports has been observed to differ from that
for open ports on some operating systems (though we don't yet know
which ones). The new test won't have an effect until new
fingerprints containing it are added to nmap-os-db. We got the idea
from some notes sent in by Dario Ciccarone. [David, Fyodor]

OS fingerprints now include the SEQ.II test (ICMP IP ID sequence
generation) even if there are no other SEQ test results. The
previous omission of SEQ.II in that case was a bug. [David]

[Ncat] The --send-only and --recv-only options now work in listen
mode as well as connect mode. [David]

[Ncat] An error in formatting bytes with the high bit set in hex
dump output was fixed. [David]

[Zenmap] New translation: Croatian (contributed by Vlatko Kosturjak).

Fixed a DNS decoding bug in dns-zone-transfer.nse that created
garbage output and could crash Zenmap by including 0x0C bytes in XML
files. The Zenmap crash looked like

[NSEDoc] Scripts that use modules automatically have the script
arguments defined by those modules included in their documentation.
It's no longer necessary to manually supply @args for the arguments
in the modules you use. For those who haven't seen the NSEDoc portal
yet, check out https://nmap.org/nsedoc/. [David]

An integer overflow in the scan progress meter was fixed. It caused
nonsense output like

[Zenmap] A better method of detecting the system locale is used, so
it should not be necessary to set the LANG environment variable on
Windows to get internationalized text. Thanks to Dirk Loss for the
suggestion. [David]

[Ncat] Added a number of automated tests for ensuring that Ncat is
working correctly. They are in /ncat/test in SVN. [David]

[Ncat] Now builds again when using the --without-openssl
option. [David]

[Zenmap] Fix auto-scroll behavior while Nmap is producing output, as
that previously failed in some cases involving wide lines in
output. [David]

[Zenmap] The network topology feature (Radialnet) has been
internationalized so its strings will be localized as well (as soon
as the relevant language's translation files are updated. To help
out, see https://nmap.org/book/zenmap-lang.html . Some remaining search
interface elements were internationalized as well. [David]

Improved the efficiency of the xml_convert() routine which handles
XML escaping. It was so inefficient that this stupid little routine
was noticeably slowing Nmap down in some cases. [David]

Removed 9 OS detection device types which only had one or two
instances in our whole database (ATM, TV, oscilloscope, etc.) and
made some other cleanups as well. We plan to enhance this even
further for the next release. [Fyodor, David, Doug]

[Zenmap] Removed some unnecessary GTK+ files from the files
installed by the Windows executable installer. [David]

[Zenmap] Tweaked the file format of the topology icons
(firewall.png, padlock.png, etc.) in an attempt to improve
compatibility with some versions of GTK+. This may fix a crash like

Removed a bunch of unnecessary files (mostly GTK related) from the
Win32 exe installer to reduce its size. [David]

Fixed an NSE crash (assertion error) which looked like
"nsock_core.c:293: handle_connect_result: Assertion `0'
failed". Brandon reported the bug, which was fixed by Doug and
David. See http://seclists.org/nmap-dev/2009/q1/0546.html .

Revert the temporary GTK DLL workaround (r11899) which added
duplicate DLL files to the distribution. David found that using a
different GTK download fixed the problem (see
docs/win32-installer-zenmap-buildguide.txt) and Fyodor was able to
reproduce and implement.

The conditions for printing OS fingerprints to XML output are now
the same as are used to decide whether to print them in the other
formats. So they will be printed if submission is desirable,
otherwise they are only printed if debugging is enabled or verbosity
is 2 or higher. [Tom Sellers]

Removed some Brazilian poetry/lyrics from Zenmap source code
(NmapOutputViewer.py). We've seen enough of it in the debug logs. "E
nao se entrega, nao".

Fix Ncat compilation with the MingW windows compiler. [Gisle Vanem]

Corrected some NSE libraries (datafiles, tab) which were using the
old arg table interface. [Patrick]

[Zenmap] Fixed a crash that happened when running a scan directly
from the command wizard without saving a profile [David]:

Added some duplicate GTK DLLs to Windows installer, as a temporary
fix for this issue: http://seclists.org/nmap-dev/2009/q1/0207.html
The problem caused a warning message complaining of problems finding
librsvg-2-2.dll to pop up 32 times before Zenmap would start. We're
still looking for a better fix. [Fyodor, Rob, Jah]

Added Ncat, a much-improved reimplementation of the venerable Netcat
tool which adds modern features and makes use of Nmap's efficient
networking libraries. Features include SSL support, proxy
connections (client or server, socks4 or connect-based, with or
without authentication, optionally chained), TCP and UDP connection
redirection, connection brokering (facilitating connections between
machines which are behind NAT gateways), and much more. It is
cross-platform (Linux, Windows, Mac, etc.) and supports IPv6 as well
as standard IPv4. See https://nmap.org/ncat/ for details. It is now
included in our binary packages (Windows, Linux, and Mac OS X), and
built by default. You can skip it with the --without-ncat configure
option. Thanks to Kris and David for their great work on this!

Added the Ndiff utility, which compares the results of two Nmap
scans and describes the new/removed hosts, newly open/closed ports,
changed operating systems, etc. This makes it trivial to scan your
networks on a regular basis and create a report (XML or text format)
on all the changes. See https://nmap.org/ndiff/ and ndiff/README for
more information. Ndiff is included in our binary packages and built
by default, though you can prevent it from being built by specifying
the --without-ndiff configure flag. Thanks to David and Michael
Pattrick for their great work on this.

Released Nmap Network Scanning: The Official Nmap Project Guide to
Network Discovery and Security Scanning. From explaining port
scanning basics for novices to detailing low-level packet crafting
methods used by advanced hackers, this book suits all levels of
security and networking professionals. A 42-page reference guide
documents every Nmap feature and option, while the rest of the book
demonstrates how to apply those features to quickly solve real-world
tasks. It was briefly the #1 selling computer book on Amazon.
Translations to the German, Korean, and Brazilian Portuguese
languages are forthcoming. More than half of the book is already
free online. For more, see https://nmap.org/book/.

David spent more than a month working on algorithms to improve port
scan performance while retaining or improving accuracy. The changes
are described at http://seclists.org/nmap-dev/2009/q1/0054.html . He
was able to reduce our "benchmark scan time" (which involves many
different scan types from many source networks to many targets) from
1879 seconds to 1321 without harming accuracy. That is a 30% time
reduction!

Introduced the NSE documentation portal, which documents every NSE
script and library included with Nmap. See https://nmap.org/nsedoc/.
Script documentation was improved substantially in the process.
Scripts and libraries must use the new NSEDoc format, which is
described at https://nmap.org/book/nsedoc.html . Thanks to Patrick
and David for their great work on this.

The 2nd Generation OS Detection System was dramatically improved for
improved accuracy. After substantial testing, David and Fyodor made
the following changes:

The "T" (TTL test) result ranges were widened to prevent minor
routing (and device hardware inconsistency) variations from causing
so many matches to fail.

The TG (TTL guess) results were canonicalized. Nmap is only
capable of assigning the values 0x20, 0x40, 0x80, and 0xFF for
these tests, yet many fingerprints had different values. This was
due to bugs in our fingerprint integration tools.

The U1.TOS and IE.TOSI tests (both having to do with the IP Type
of Service field) have been effectively eliminated (MatchPoints
set to 0). These proved particularly susceptible to false results
due to networking hardware along the packet route manipulating the
TOS header field.

An important bug in OS detection's congestion control algorithms
was fixed. It could lead to Nmap sending packets much too quickly
in some cases, which hurt accuracy.

Integrated all of your OS detection fingerprint submissions and
corrections up to January 8. The DB has grown more than 17% to
1,761 fingerprints. Newly detected services include Mac OS X
10.5.6, Linux 2.6.28, iPhone 2.1, and all manner of WAPs, VoIP
phones, routers, oscilloscopes, employee timeclocks, etc. Keep those
submissions coming!

Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmap
to interrogate Windows machines much more completely. He added
three new nselib modules: msrpc, netbios, and smb. As the names
suggest, they contain common code for scripts using MSRPC, NetBIOS,
and SMB. These modules allow scripts to extract a great deal of
information from hosts running Windows, particularly Windows
2000. New or updated scripts using the modules are:

A problem that caused OS detection to fail for most hosts in a
certain case was fixed. It happened when sending raw Ethernet frames
(by default on Windows or on other platforms with --send-eth) to
hosts on a switched LAN. The destination MAC address was wrong for
most targets. The symptom was that only one out of each scan group
of 20 or 30 hosts would have a meaningful OS fingerprint. Thanks go
to Michael Head for running tests and especially Trent Snyder for
testing and finding the cause of the problem. [David]

Zenmap now runs ndiff to for its "Compare Results" function. This
completely replaces the old diff view. The diff window size is now
more flexible for user resizing as well. [David]

Added a Russian translation of the Nmap Reference Guide by Guz
Alexander. We now have translations in 15 languages available from
https://nmap.org/docs.html . More volunteer translators are welcome,
as we are still missing some important languages. Translation
instructions are available from that docs.html page.

Improved port scan performance by changing the list of high priority
ports which Nmap shifts closer to the beginning of scans because
they are more likely to be responsive. We based the change on
empirical data from large-scale scanning. The new port list is:

[NSE] Almost all scripts were renamed to be more consistent. They
are now all lowercase and most of them start with the name of the
service name they query. Words are separated by hyphens. [David,
Fyodor]

[NSE] Now that scripts are better named, the "Id" field has been
removed and the script name (sans the .nse or directory path
information) is used in script output instead. [David]

[NSE] Added banner.nse, a simple script which connects to open TCP
ports and prints out anything sent in the first five seconds by the
listening service. [Jah]

Zenmap no longer outputs XML elements and attributes that are not in
the Nmap XML DTD. This was done mostly by removing things from
Zenmap's output, and adding a few new optional things to the Nmap
DTD. A scan's profile name, host comments, and interactive text
output are what were added to nmap.dtd. The .usr filename extension
for saved Zenmap files is deprecated in favor of the .xml extension
commonly used with Nmap. Because of these changes the
xmloutputversion has been increased to 1.03. [David]

The NSE registry now persists across host groups so that values
stored in it will remain until they are explicitly removed or Nmap
execution ends. [David]

Enhanced the AS Numbers script (ASN.nse) to better consolidate
results and bail out if the DNS server doesn't support the ASN
queries. [Jah]

Added a script that checks for ms08-067-vulnerable hosts
(smb-check-vulns.nse) using the smb nselib. It also checks for an
unfixed denial of service vulnerability Ron discovered in the
Windows 2000 registry service. [Ron Bowes]

[Zenmap] Text size is larger on Mac OS X thanks to a new included
gtkrc file. [David]

Reduced memory consumption for some longer-running scans by removing
completed hosts from the lists after two minutes. These hosts are
kept around in case there is a late response, but this draws the
line on how long we wait and hence keep this information in memory.
See http://seclists.org/nmap-dev/2008/q3/0902.html for more. [Kris]

The Windows installer now uses Zenmap binaries built using Python
2.6.1 rather than 2.5.1 [Fyodor]

When a system route can't be matched up directly with an interface
by comparing addresses, Nmap now tries to match the route through
another route. This helps for instance with a PPP connection where
the default route's gateway address is routed through a different
route, the one associated with the address of the PPP device. The
problem would show itself as an inability to scan through the
default route and the error message

WARNING: Unable to find appropriate interface for system route to ...

[David]

Removed a code comment which simply declared /* WANKER ALERT! */ for
no good reason. [Fyodor]

[Ncat] The -l option can now be specified w/o a port number to
listen on Ncat's default port number (31337).

[Zenmap] The Nmap output window now scrolls automatically as a scan
progresses. [David]

[NSE] We now have a canonical way for scripts to check for
dependency libraries such as OpenSSL. This allows them to handle
the issue gracefully (by exiting or doing some of their work if
possible) rather than flooding the console with error messages as
before. See https://nmap.org/nsedoc/lib/openssl.html . [Pattrick,
David, Fyodor]

The error could be seen by running a version scan against a
broadcast address. Thanks to Tilo Köppe and James Liu for reporting
the problem. [David]

An "elapsed" attribute has been added to the XML output (in the
"finished" tag), representing the total Nmap scanning time in
seconds (floating point). [Kris]

Fixed a division by zero error in the packet rate measuring code
that could cause a display of infinity packets per seconds near the
start of a scan. [Jah]

Substantially updated the Nmap Scripting Engine guide/chapter
(https://nmap.org/book/nse.html) so that it is up-to-date with all
the latest NSE improvements.

Fixed a bug in the IP validation code which would have let a specially
crafted reply sent from a host on the same LAN slip through and cause
Nmap to segfault. Thanks to ithilgore of sock-raw.homeunix.org for
the very detailed bug report. [Kris]

[Zenmap] The crash reporter further enhances user privacy by showing
all the information that will be submitted so you can edit it to
remove identifying information such as the name of your home
directory. If you provide an email address the report will be marked
private so it will not appear on the public bug tracker. [David]

[Zenmap] Zenmap now parses and records XSL stylesheet information
from Nmap XML files, so files saved by Zenmap will be viewable in a
web browser just like those produced by Nmap. [David]

A possible Lua stack overflow in the DNS module was fixed. Lua detects
these sorts of overflows and quits. [David]

[NSE] Improved html-title script to support http-alt and https-alt
(with SSL) and to handle a wider variety of redirects. [Jah]

NSE scripts that require a list of DNS servers (currently only
ASN.nse) now work when IPv6 scanning. Previously it gave an error
message: "Failed to send dns query. Response from dns.query(): 9".
[Jah, David]

[Zenmap] Added a workaround for a crash

GtkWarning: could not open display

on Mac OS X 10.5. The problem is caused by setting the DISPLAY
environment variable in one of your shell startup files; that
shouldn't be done under 10.5 and removing it will make other
X11-using applications work better. Zenmap will now handle the
situation automatically. [David]

http-auth.nse now properly checks for default authentication
credentials. A bug prevented it from working before. [Vlatko
Kosturjak]

Renamed irc-zombie.nse to auth-spoof and improved its description
and output a bit. [Fyodor]

Removed some unnecessary "demo" category NSE scripts: echoTest,
chargenTest, showHTTPVersion, and showSMTPVersion.nse. Moved
daytimeTest from the "demo" category to "discovery". Removed
showHTMLTitle from the "demo" category, but it remains in the
"default" and "safe" categories. This leaves just smtp-open-relay in
the undocumented "demo" category. [Fyodor]

[NSE] Removed ripeQuery.nse because we now have the much more robust
whois.nse which handles all the major registries. [Fyodor]

[NSE] Removed showSSHVersion.nse. Its only real claim to fame was
the ability to trick some SSH servers (including at least OpenSSH
4.3p2-9etch3) into not logging the connection. This trick doesn't
seem to work with newer versions of OpenSSH, as my
openssh-server-4.7p1-4.fc8 does log the connection. Without the
stealth advantage, the script has no real benefit over version
detection or the upcoming banner grabbing script. [Fyodor]

[NSE] The smtp-commands script output is now more compact. [Jasey
DePriest, David]

[Zenmap] Added a simple workaround for a bug in PyXML (an add-on
Python XML library) that caused a crash. The crash would happen when
loading an XML file and looked like "KeyError: 0". [David]

A crash caused by an incorrect test condition was fixed. It would
happen when running a ping scan other than a protocol ping, without
debugging enabled, if an ICMP packet was received referring to a
packet that was not TCP, UDP, or ICMP. Thanks to Brandon Enright and
Matt Castelein for reporting the problem. [David]

[Zenmap] The keyboard shortcut for "Save to Directory" has been
changed from Ctrl+v to Ctrl+Alt+s so as not to conflict with the
usual paste shortcut. [Jah, Michael]

Nmap now quits if you give a "backwards" port or protocol range like
-p 20-10. The issue was noted by Arturo "Buanzo" Busleiman. [David]

Fixed a bug which caused Nmap to infer an improper distance against
some hosts when performing OS detection against a group whose
distance varies between members. [David, Fyodor]

[Zenmap] Host information windows are now like any other windows,
and will not become unclosable by having their controls offscreen.
Thanks to Robert Mead for the bug report.

[NSE] showHTMLTitle can now follow (non-standard) relative
redirects, and may do a DNS lookup to find if the redirected-to host
has the same IP address as the scanned host. [Jah]

[NSE] Enhanced the tohex() function in the stdnse library to support
strings and added options to control the formatting. [Sven]

[NSE] The http module tries to deal with non-standards-compliant
HTTP traffic, particularly responses in which the header fields are
separated by plain LF rather than CRLF. [Jah, Sven]

[Zenmap] The help function now properly converts the pathname of the
local help file to a URL, for better compatibility with different
web browsers. [David]
This should fix the crash
WindowsError: [Error 2] The system cannot find the file specified:
'file://C:\\Program Files\\Nmap\\zenmap\\share\\zenmap\\docs\\help.html'

Nsock now uses fselect() to work around problems with select() not
working properly on non-socket descriptors on Windows. This was
needed for Ncat to work properly on that platform. See
http://seclists.org/nmap-dev/2008/q3/0766.html . [Kris]

Upgraded the OpenSSL binaries shipped in our Windows installer to
version 0.9.8i. [Kris]

[NSE] The SSLv2-support script no longer prints duplicate cyphers if
they exist in the server's supported cypher list. [Kris]

Fix compilation w/IPv6 support on Solaris by checking for inet_addr
in -lnsr before using APR_CHECK_WORKING_GETNAMEINFO in
configure. [David]

Removed the nbase_md5.* and nbase_sha1.* files because our
new nse_openssl library includes that functionality. [David]

The robots.txt NSE script is now silent when there are no
interesting results, rather than printing that robots.txt "is empty
or has no disallowed entries". [Kris]

Fixed a file (socket) descriptor leak which could occur when connect
scan probes receive certain unusual error messages (including
EHOSTUNREACH, and EHOSTDOWN). This led to error messages such as
"Socket creation in sendConnectScanProbe: Too many open files (24)"
[David]

[Zenmap] Made floating host details windows into normal top-level
windows. This avoids a problem where the edge of a window could be
off the edge of a screen and it would not be closable. The bug was
reported by Robert Mead. [David]

Use TIMEVAL_AFTER(...) instead of TIMEVAL_SUBTRACT(...) > 0 when
deciding whether a probe response counts as a drop for scan delay
purposes. This prevents an integer overflow which could
substantially degrade scan performance. [David]

Reorganized macosx/Makefile to make it easier to add in new packages
such as Ncat and Ndiff. Also removed the bogus clean-nmap and
clean-zenmap targets. [David]

[Zenmap] Fixed a crash related to the use of NmapOptions in
ScanNotebook.py using the old interface (ops.num_random_targes,
ops.input_filename) rather than the newer dict-style
interface. [Jah]

Split parallel DNS resolution and system DNS resolution into
separate functions. Previously system DNS resolution was encapsulated
inside the parallel DNS function, inside a big if block. Now the if
is on the outside and decides which of the two functions to
call. [David]

[NSE] Remove "\r\r" in script output. If you print "\r\n", the
Windows C library will transform it to "\r\r\n". So we just print
"\n" with no special case for Windows. Also fixed
showSMTPversion.nse so that it doesn't print "\r\r" in the first
place. [David]

OS scan point matching code can now handle tests worth zero
points. We now assign zero points to ignore a couple tests which
proved ineffective. [David]

[Zenmap] Catch the exceptions that are caused when there's no XML
output file, an empty one, or one that's half-complete. You can
cause these three situations, respectively, with: "nmap -V", "nmap
--iflist", or "nmap 0". Also remove the target requirement for scans
because you should be able to run commands such as "nmap --iflist"
from Zenmap. [David]

[Zenmap] Guard against the topology graph becoming empty in the
middle of an animation. This could happen if you removed a scan
from the list of scans during an animation. The error looked like:

File "usr/lib/python2.5/site-packages/radialnet/gui/RadialNet.py",
line 1533, in __livens_up AttributeError: 'NoneType' object has no
attribute 'get_nodes'

[David]

[Zenmap] Fixed a crash which could occur when you entered a command
containing only whitespace. David fixed various other possible
crashes found in the crash report tracker too. Zenmap users really
are capable of finding every possible edge case which could cause a
crash :).

There is a new "external" script category, for NSE scripts which
rely on a third-party network resource. Scripts that send data to
anywhere other than the target are placed in this category. Initial
members are ASN.nse, dns-safe-recursion-port.nse,
dns-safe-recursion-txid.nse, ripeQuery.nse, HTTP_open_proxy.nse, and
whois.nse [David]

[Zenmap] A crash was fixed that affected Windows users with
non-ASCII characters in their user names. [David]
The error looked like this (with many variations):

[Zenmap] Fixed a data encoding bug which could cause the crash
reporter itself to crash! [David]

Nmap's Windows self-installer now correctly registers/deletes the
npf (WinPcap) service during install/uninstall. Also the silent
install mode was improved to avoid a case where the WinPcap
uninstaller was (non-silently) shown. [Rob Nicholls]

Update the NSE bit library to replace deprecated use of
luaL_openlib() with luaL_register(). This fixes a build error which
occurred on systems which have Lua libraries installed but
LUA_COMPAT_OPENLIB not defined [Sven]

[Zenmap] Added a new Scan Topology system. The idea is that if we
are going to call Nmap the "Network Mapper", it should at least be
able to draw you a map of the network! And that is what this new
system does. It was achieved by integrating the RadialNet Nmap
visualization tool (http://www.dca.ufrn.br/~joaomedeiros/radialnet),
into Zenmap. Joao Medeiros has been developing RadialNet for more
than a year. For details, complete with some of the most beautiful
Zenmap screen shots ever, visit
https://nmap.org/book/zenmap-topology.html . The integration work was
done by SoC student Vladimir Mitrovic and his mentor David Fifield.

[Zenmap] Another exciting new Zenmap feature is Scan Aggregation.
This allows you to visualize and analyze the results of multiple
scans at once, as if they were from one Nmap execution. So you might
scan one network, analyze the results a bit, then scan some of the
machines more intensely or add a completely new subnet to the
scan. The new results are seamlessly added to the old, as described
at https://nmap.org/book/zenmap-scanning.html#aggregation. [David,
Vladimir]

Expanded nmap-services to include information on how frequently each
port number is found open. The results were generated by scanning
tens of millions of IPs on the Internet this summer, and augmented
with internal network data contributed by some large
organizations. [Fyodor]

Nmap now scans the most common 1,000 ports by default in either
protocol (UDP scan is still optional). This is a decrease from
1,715 TCP ports and 1,488 UDP ports in Nmap 4.68. So Nmap is faster
by default and, since the port selection is better thanks to the
port frequency data, it often finds more open ports as
well. [Fyodor]

Nmap fast scan (-F) now scans the top 100 ports by default in either
protocol. This is a decrease from 1,276 (TCP) and 1,017 (UDP) in
Nmap 4.68. Port scanning time with -F is generally an order of
magnitude faster than before, making -F worthy of its "fast scan"
moniker. [Fyodor]

The --top-ports option lets you specify the number of ports you wish
to scan in each protocol, and will pick the most popular ports for
you based on the new frequency data. For both TCP and UDP, the top
10 ports gets you roughly half of the open ports. The top 1,000
(out of 65,536 possible) finds roughly 93% of the open TCP ports and
more than 95% of the open UDP ports. [Fyodor, Doug Hoyte]

David integrated all of your OS detection fingerprint and correction
submissions from March 11 until mid-July. In the process, we
reached the 1500-signature milestone for the 2nd generation OS
detection system. We can now detect the newest iPhones, Linux
2.6.25, OS X Darwin 9.2.2, Windows Vista SP1, and even the Nintendo
Wii. Nmap now has 1,503 signatures, vs. 1,320 in 4.68. Integration
is now faster and more pleasant thanks to the new OSassist
application developed by Nmap SoC student Michael Pattrick. See
http://seclists.org/nmap-dev/2008/q3/0089.html and
http://seclists.org/nmap-dev/2008/q3/0139.html for more details.

[Zenmap] Added a context-sensitive help system to the Profile
Editor. You can now mouse-over options to learn more about what
they are used for and their proper argument syntax. [Jurand Nogiec]

When Nmap finds a probe during ping scan which elicits a response,
it now saves that information for the port scan and later phases.
It can then "ping" the host with that probe as necessary to collect
timing information even if the host is not responding to the normal
port scan packets. Previously, Nmap's port scan timing pings could
only use information gathered during that port scan itself. A
number of other "port scan ping" system improvements were made at
the same time to improve performance against firewalled hosts. For
full details, see http://seclists.org/nmap-dev/2008/q3/0647.html
[David, Michael, Fyodor]

--traceroute now uses the timing ping probe saved from host
discovery and port scanning instead of finding its own probe. The
timing ping probe is always the best probe Nmap knows about for
eliciting a response from a target. This will have the most effect
on traceroute after a ping scan, where traceroute would sometimes
pick an ineffective probe and traceroute would fail even though the
target was up. [David]

Added dns-safe-recursion-port and dns-safe-recursion-txid
(non-default NSE scripts) which use the 3rd party dns-oarc.net
lookup to test the source port and transaction ID randomness of
discovered DNS servers (assuming they allow recursion at all).
These scripts, which test for the "Kaminsky" DNS bugs, were
contributed by Brandon Enright.

Added whois.nse, which queries the Regional Internet Registries
(RIRs) to determine who the target IP addresses are assigned
to. [Jah]

[Zenmap] Overhauled the default list of scan profiles based on
nmap-dev discussion. Users now have a much more diverse and useful
set of default profile options. And if they don't like any of those
canned scan commands, they can easily create their own in the
Profile Editor! [David]

Fyodor made a number of performance tweaks, such as:

increase host group sizes in many cases, so Nmap will now commonly
scan 64 hosts at a time rather than 30

align host groups with common network boundaries, such as /24 or
/25

Increase maximum per-target port-scan ping frequency to one every
1.25 seconds rather than every five. Port scan pings happen
against heavily firewalled hosts and the like when Nmap is not
receiving enough responses to normal scan to properly calculate
timing variables and detect packet drops.

Added a new NSE binlib library, which offers bin.pack() and
bin.unpack() functions for dealing with storing values in and
extracting them from binary strings. For details, see
https://nmap.org/book/nse-library.html#nse-binlib . [Philip
Pickering]

Added the SNMPcommunitybrute NSE script, which is a brute force
community string cracker. Also modified SNMPsysdescr to use the new
SNMP library. [Philip Pickering]

Fixed the SMTPcommands script so that it can't return multiple
values (which was causing problems). Thanks to Jah for tracking down
the problem and sending a fix for SMTPcommands. Then Patrick fixed
NSE so it can handle misbehaving scripts like this without causing
mysterious side effects.

Added a new NSE Unpwdb (username/password database) library for
easily obtaining usernames or passwords from a list. The functions
usernames() and passwords() return a closure which returns a new
list entry with every call, or nil when the list is exhausted. You
can specify your own username and/or password lists via the script
arguments userdb and passdb, respectively. [Kris]

Nmap's Nsock-utilizing subsystems (DNS, NSE, version detection) have
been updated to support the -S and --ip-options flags. [Kris]

A new --max-rate option was added, which complements --min-rate. It
allows you to specify the maximum byte rate that Nmap is allowed to
send packets. [David]

Added --ip-options support for the connect() scan (-sT). [Kris]

Nsock now supports binding to a local address and setting IPv4
options with nsi_set_localaddr() and nsi_set_ipoptions(),
respectively. [Kris]

Added IPProto Ping (-PO) support to Traceroute, and fixed support for
IPProto Scan (-sO) and the ICMP Pings (-PE, -PP, -PM) in Traceroute
as well. These could cause Nmap to hang during Traceroute. [Kris]

[Zenmap] Added a "Cancel" button for cancelling a scan in progress
without losing any Nmap output obtained so far. [Jurand Nogiec]

Improve the netbios-smb-os-discovery NSE script to improve target
port selection and to also decode the system's timestamp from an SMB
response. [Ron at SkullSecurity]

Nmap now avoids collapsing large numbers of ports in open|filtered
state (e.g. just printing that 500 ports are in that state rather
than listing them individually) if verbosity or debugging levels are
greater than two. See this thread:
http://seclists.org/nmap-dev/2008/q3/0312.html . [Fyodor]

The NSE datafiles library now has generic file parsing routines, and
the parsing of the standard nmap data files (e.g. nmap-services,
nmap-protocols, etc.) now uses those generic routines. NSE scripts
and libraries may find them useful for dealing with their own data
files, such as password lists. [Jah]

Improved nse_init so that compilation/runtime errors in NSE scripts
no longer cause the script engine to abort. [Patrick]

Fix a cosmetic bug in --script-trace hex dump output which resulting
in bytes with the highest bit set being prefixed with ffffff. [Sven
Klemm]

Removed the nselib-bin directory. The last remaining shared NSE
module, bit, has been made static by Patrick. Shared modules were
broken for static builds of Nmap, such as those in the RPMS. We also
had the compilation problems (particularly on OpenBSD) with shared
modules which lead us to make PCRE static a while back. [David]

Updated rpcinfo NSE script to use the new pack/unpack (binlib)
functions, use the new tab library, include better documentation, and
fix some bugs. [Sven Klemm]

[Zenmap] The Ports/Hosts view now provides full version detection
values rather than just a simple summary. [Jurand Nogiec]

[Zenmap] When you edit the command-entry field, then change the
target selection, Nmap no longer blows away your edits in favor of
using your current profile. [Jurand Nogiec]

Nsock now returns data from UDP packets individually, preserving the
packet boundary, rather than concatenating the data from multiple
packets into a single buffer. This fixes a problem related to our
reverse-DNS system, which can only handle one DNS packet at a time.
Thanks to Tim Adam of ManageSoft for debugging the problem and
sending the patch. Doug Hoyte helped with testing, and it was
applied by Fyodor.

[Zenmap] Fixed a crash which would occur when you try to compare two
files, either of which has more than one extraports element. [David]

Added the undocumented (except here) --nogcc option which disables
global/group congestion control algorithms and so each member of a
scan group of machines is treated separately. This is just an
experimental option for now. [Fyodor]

[Zenmap] The Ports/Hosts display now has different colors for open
and closed ports. [Vladimir]

Fixed Zenmap so that it displays all Nmap errors. Previously, only
stdout was redirected into the window, and not stderr. Now they are
both redirected. [Vladimir]

NSE can now be used in combination with ping scan (e.g. "-sP
--script") so that you can execute host scripts without needing to
perform a port scan. [Kris]

[NSE] The script_scan_result structure has been changed to a class,
ScriptResult, which now holds a Script's output in an std::string.
This removes the need to use malloc and free to manage this memory.
A similar change was made to the run_record structure. [Patrick]

[NSE] Fixed a socket exhaustion deadlock which could prevent a
script scan from ever finishing. Now, rather than limit the total
number of sockets which can be open, we limit the number of scripts
which can have sockets open at once. And once a script has one
socket opened, it is permitted to open as many more as it
needs. [Patrick]

Fixed host discovery probe matching when looking at the returned TCP
data in an ICMP error message. This could formerly lead to
incorrectly discarded responses and the debugging error message:
"Bogus trynum or sequence number in ICMP error message" [Kris]

Fixed a segmentation fault in Nsock which occurred when calling
nsock_write() with a data length of -1 (which means the data is a
NUL-terminated string and Nsock should take the length itself) and
the Nsock trace level was at least 2. [Kris]

The NSE Comm library now defaults to trying to read as many bytes as
are available rather than lines if neither the "bytes" nor "lines"
options are given. Thanks to Brandon for reporting a problem which
he noticed in the dns-test-open-recursion script. [Kris]

Updated zoneTrans.nse to replace length bytes in returned domain
names to periods itself rather than relying on NSE's old behavior of
replacing non-printable characters with periods. Thanks to Rob
Nicholls for reporting the problem. [Kris]

Some Zenmap crashes have been fixed: trying to "refresh" the output
of a scan loaded from a file, and trying to re-save a file loaded
from the command line in some circumstances. [David]

[Zenmap] The file selector now remembers what directory it was last
looking at. [David]

Zenmap defaults to showing files matching both *.xml and *.usr in
the file selector. Previously it only showed those matching *.usr.
The new combined format will be XML and .usr will be deprecated.
See http://seclists.org/nmap-dev/2008/q3/0093.html .

Nmap avoids printing the sending rate in bytes per second during a
TCP connect scan. Because the number of bytes per probe is not
known, it used to print current sending rates: 11248.85 packets / s,
0.00 bytes / s. Now it will print simply print rates like "11248.85
packets / s". [David]

[Zenmap] Nmap's installation process now include .desktop files
which install menu items for launching Zenmap as a privileged or
non-privileged process on Linux. This will mainly affect people who
install nmap and Zenmap directly from the source code. [Michael]

Improved performance of IP protocol scan by fixing a bug related to
timing calculations on ICMP probe responses. See r8754 svn log for
full details. [David]

[Zenmap] The higwidgets Python package has moved so it is now a
subpackage of zenmapGUI. This avoids naming conflicts with Umit,
which uses a slightly different version of higwidgets. [David]

A bug that could cause some host discovery probes to be incorrectly
interpreted as drops was fixed. This occurred only when the IP
protocol ping (-PO) option was combined with other ping
types. [David]

A new scanflags attribute has been added to XML output, which lists
all user specified --scanflags for the scan. nmap.dtd has been
modified to account for this. [Michael]

The loading of the nmap-services file has been made much
faster--roughly 9 times faster in common cases. This is important
for the new (much larger) frequency augmented nmap-services
file. [David]

Added a script (ASN.nse) which uses Team Cymru's DNS interface to
determine the routing AS numbers of scanned IP addresses. They even
set up a special domain just for Nmap queries. The script is still
experimental and non-default. [Jah, Michael]

[Zenmap] Clicking "Cancel" in a file chooser in the diff interface
no longer causes a crash. [David]

The shtool build helper script has been updated to version 2.0.8. An
older version of shutil caused installation to fail when the locale
was set to et_EE. Thanks to Michal Januszewski for the bug
report. [David]

[Zenmap] Removed services.dmp and os_dmp.dmp and all the files that
referred to them. They are not needed with the new search
interface. Also removed an unused search progress bar. And some
broken fingerprint submission code. Yay for de-bloating! [David]

[Zenmap] Added "%F" to the Exec link in the new Zenmap desktop
file. We expect (hope) that this will allow dragging and dropping
XML files onto the icon. [David]

[Zenmap] The -o[XGASN] options can now be specified, just as you can
at the console. [Vladimir]

[Zenmap] You can now shrink the scan window below its default
size thanks to NmapOutputViewer code enhancements. [David]

[Zenmap] Removed optional use of the Psyco Python optimizer since
Zenmap is not the kind of CPU-bound application which benefits from
Psyco.

[Zenmap] You can now select more than one host in the "Ports /
Hosts" view by control-clicking them in the column at left.

[Zenmap] The profile editor now offers the --traceroute option.

Zenmap now uses Unicode objects pervasively when dealing with Nmap
text output, though the only internationalized text Nmap currently
outputs is the user's time zone. [David]

Unprintable characters in NSE script output (which really shouldn't
happen anyway) are now printed like \xHH, where HH is the
hexadecimal representation of the character. See
http://seclists.org/nmap-dev/2008/q3/0180.html . [Patrick]

Nmap sometimes sent packets with incorrect IP checksums,
particularly when sending the UDP probes in OS detection. This has
been fixed. Thanks to Gisle Vanem for reporting and investigating the
bug. [David]

Fixed the --without-liblua configure option so that it works
again. [David]

In the interest of forward compatibility, the xmloutputversion
attribute in Nmap XML output is no longer constrained to be a
certain string ("1.02"). The xmloutputversion should be taken as
merely advisory by authors of parsers.

Doug integrated all of your version detection submissions and
corrections for the year up to May 31. There were more than 1,000
new submissions and 18 corrections. Please keep them coming! And
don't forget that corrections are very important, so do submit them
if you ever catch Nmap making a version detection or OS detection
mistake. The version detection DB has grown to 5,054 signatures
representing 486 service protocols. Protocols span the gamut from
abc, acap, access-remote-pc, activefax, and activemq, to zebedee,
zebra, zenimaging, and zenworks. The most popular protocols are
http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
pop3 (201).

The Nmap Windows self-installer now automatically installs the MS
Visual C++ 2008 runtime components if they aren't already installed
on a system. These are some reasonably small DLLs that are
generally necessary for applications compiled with Visual C++ (with
dynamic linking). Many or most systems already have these installed
from other software packages. The lack of these components led to
the error message "The Application failed to initialize properly
(0xc0150002)." with Nmap 4.65. A related change is that Nmap on
Windows is now compiled with /MD rather than /MT so that it
consistently uses these runtime libraries. The patch was created by
Rob Nicholls.

Added advanced search functionality to Zenmap so that you can locate
previous scans using criteria such as which ports were open, keywords
in the target names, OS detection results, etc. Try it out with
Ctrl-F or "Tools->Search Scan Results". [Vladimir]

Added a new NSE Comm (common communication) library for common
network discovery tasks such as banner-grabbing (get_banner()) and
making a quick exchange of data (exchange()). 16 scripts were
updated to use this library. [Kris]

Added a UDP SNMPv3 probe to version detection, along with 9 vendor
match lines. The patch was from Tom Sellers, who contributed other
probes and match lines to this release as well.

Added a new timing_level() function to NSE which reports the Nmap
timing level from 0 to 5, as set by the Nmap -T option. The default
is 3. [Thomas Buchanan]

Update the HTTP library to use the new timing_level functionality to
set connection and response timeouts. An error preventing the new
timing_level feature from working was also fixed. [Jah]

Optimized the doAnyOutstandingProbes() function to make Nmap a bit
faster and more efficient. This makes a particularly big difference
in cases where --min-rate is being used to specify a very high
packet sending rate. [David]

Fixed an integer overflow which prevented a target specification of
"*.*.*.*" from working. Support for the CIDR /0 is now also
available for those times you wish to scan the entire
Internet. [Kris]

The robots.nse script has been improved to print output more
compactly and limit the number of entries of large robots.txt files
based on Nmap verbosity and debugging levels. [Eddie Bell]

Improve AIX support by linking against -lodm and -lcfg on that
platform. [David]

Updated showHTMLTitle NSE script to follow one HTTP redirect if
necessary as long as it is on the same server. [Jah]

Michael Pattrick and David created a new OSassist application which
streamlines the OS fingerprint submission integration process and
prevents certain previously common errors. OSassist isn't part of
Nmap, but the system was used to integrate some submissions for this
release. 13 fingerprints were added during OSassist testing, and
some existing fingerprints were improved as well. Expect many more
fingerprints coming soon.

Improved the mapping from dnet device names (like eth0) and WinPcap
names (like \Device\NPF_{28700713...}). You can see this mapping
with --iflist, and the change should make Nmap more likely to work
on Windows machines with unusual networking configurations. [David]

Service fingerprints in XML output are no longer be truncated to
2kb. [Michael]

Some laptops report the IP Family as NULL for disabled WiFi cards.
This could lead to a crash with the "sin->sin_family == AF_INET6"
assertion failure. Nmap no longer quits when this is
encountered. [Michael]

On systems without the GNU getopt_long_only() function, Nmap has its
own replacement. That replacement used to call the system's
getopt() function if it exists. But the AIX and Solaris getopt()
functions proved insufficient/buggy, so Nmap now always calls its
own internal getopt() now from its getopt_long_only()
replacement. [David]

Integrated several service match lines from Tom Sellers.

An error was fixed where Zenmap would crash when trying to load from
the recent scans database a file containing non-ASCII
characters. The error looked like

The error would be seen when such a scan was found in using the
search interface. [David]

Fix a Zenmap crash which occurred when local.getpreferredencoding()
returns "None". Similarly, deal with the case when a "X-MAC-KOREAN"
is returned by this function. Both problems were found with the
Zenmap crash reporter. [David]

A whole bunch of internal Zenmap cleanup was done by David to make
the code more logical and remove dead code.

Install icons and pixmaps under /usr/share/zenmap/{icons,pixmaps} so
they don't get mixed in with the files in
/usr/share/{icons,pixmaps}. [Jurand Nogiec]

Fixed a Zenmap command entry problem where Zenmap would lose a
custom command you had entered into the command entry field if you
changed the target field after entering the custom command. [Jurand
Nogiec]

The Zenmap crash reporter now includes a stack trace rather than
just the exception name. [David]

Zenmap now executes the proper Nmap command by honoring the
nmap_command_path variable in zenmap.conf. [Jurand Nogiec]

Fixed a bug which caused -PN to erroneously bail out for
unprivileged users. Thanks to Jabra (jabra(a)spl0it.org) for the
report. [Kris]

Fixed several Nmap NSE memory leaks found with Valgrind. [Kris]

Migrated some stray malloc()/realloc() calls to the Nbase
safe_malloc()/safe_realloc() versions which guard against certain
errors.

Fixed a bunch of subtle bugs, some of which could have resulted in
a crash, reported by Ilja van Sprundel. [Kris]

Fixed several byte-order bugs in Traceroute. [Kris]

Fixed a crash in RateMeter::update() which could lead to an error
saying "diff >= 0.0" assertion failed. I think the problem was
actually caused by SMP machines which didn't sync the clock time
perfectly. This lead to gettimeofday() sometimes reporting that
time decreased by some microseconds. Now Nmap is willing to
tolerate decreases of up to 1 millisecond in this function. [Fyodor]

Nmap now returns correct values for --iflist in windows even
if interface aliases have been set. Previously it would misreport
the windevices and not list all interfaces. [Michael]

Nmap no longer crashes with an 'assert' error when its told to
access a disabled WiFi NIC on some laptops. [Michael]

A Mac OS X Nmap/Zenmap installer is now available from the Nmap
download page! It is rather straightforward, but detailed
instructions are available anyway at
https://nmap.org/book/inst-macosx.html . As a universal installer,
it works on both Intel and PPC Macs. It is distributed as a disk
image file (.dmg) containing an mpkg package. The installed Nmap
does include OpenSSL support. It also supports Authorization
Services so that Zenmap can run as root. David created this
installer. He wants to thank Benson Kalahar and Vlad Alexa for
extensive testing of the nine test releases.

The Windows version of Nmap now supports OpenSSL just as the UNIX
versions have for years. Both the .zip and executable installer
binary packages we ship from the Nmap download page now include
OpenSSL. [Kris, Thomas Buchanan]

Our WinPcap installer now starts the NPF driver running as a
service immediately upon installation and after restarts. You can
disable this with new check-boxes. This behavior is important for
Vista and Windows Server 2008 machines when User Account
Control (UAC) is enabled. [Rob Nicholls]

Nmap and Nmap-WinPcap silent installation now works. Nmap can
be silently installed with the /S option to the installer.
If you install Nmap from the zip file, you can install just
WinPcap silently with the /S option to that
installer. [Rob Nicholls]

Our WinPcap installer is now included with the Nmap Win32 zip
file. [Fyodor]

Numerous miscellaneous improvements were made to our Win32
installer, such as using the "Modern" NSIS UI for WinPcap,
improving the option description labels, and showing a finish
page in all cases. [Rob Nicholls]

The nmap-dev and nmap-hackers mailing list RSS feeds at seclists.org
now include message excerpts to make it easier to identify
interesting messages and speed the process of reading through the
list. Feeds for all other mailing lists archived at SecLists.Org
have been similarly augmented. For details, see
http://seclists.org/nmap-dev/2008/q2/0333.html . [David]

A new "default" Nmap Scripting Engine category was added. Only
scripts in this category now run by default (except for "version"
scripts which run when version detection was requested).
Previously, any scripts in the "safe" or "intrusive" categories were
run. 21 scripts are now in this default category. [Kris]

The NSE HTTP library now uses the host name specified on the command
line when making requests, which improves script scanning against
web servers with virtual hosts. Thanks to Sven Klemm for the patch.

Added some new and improved version detection signatures. [Brandon]

Fixed an OS detection bug that prevented the R1.UID test result from
being recorded properly when scanning certain printers from
little-endian computers. Updated nmap-os-db to compensate for
signatures that had an incorrect U1.RID value. [Michael]

Updated to include the latest MAC Address prefixes from the IEEE in
nmap-mac-prefixes [Fyodor]

Updated the SMTPcommands NSE script to work better against Postfix
and reduce verbosity. [Jasey DePriest, Fyodor]

Reorganized the way ping probes are handled internally. Rather than
being stored in the NmapOps structure, they are now stored within
the individual scan_lists structures. This is a cleaner
organization. [Michael]

Fix grepable output's "Ignored State" reporting. Only one ignored
state (the one with the highest numbers of ports) is shown. [David]

NSE engine was cleaned up significantly. nse_auxiliar was removed,
and file system manipulation functions were moved from nse_init.cc
into a new nse_fs.cc file. Numerous interfaces between Nmap and Lua
were improved. Most of these functions are now callable directly by
Lua. [Patrick]

Fixed a bug in the showOwner NSE script which caused it to try UDP
ports instead of just TCP ports. This made it very slow in the
common case where there are many UDP ports in the open|filtered
state. Thanks to Jasey DePriest for reporting the problem and Jah
for tracking it down and fixing it.

Nbase now generates pseudo-random numbers itself rather than using
/dev/urandom on Linux and the terrible rand() function on Windows.
The new system uses ARC4 based on libdnet's
implementation. [Brandon]

Fixed the way Zenmap handles command-line entry to prevent your
custom command-line to be overwritten with the current profile's
command just because you edited the target field. [Jurand]

Nsock was improved to better support reading from non-network
descriptors such as stdin. This is important for the upcoming Ncat
project Mixter is working on. [Mixter]

A bug was fixed that could cause Zenmap to crash when loading a
results file that had multibyte characters in it. The error looked
like:
Gtk-ERROR **: file gtktextsegment.c: line 196
(_gtk_char_segment_new): assertion failed:
(gtk_text_byte_begins_utf8_char (text))
[David]

Removed a superfluous test for the existence of the C++ compiler in
the configure script. The test was not robust when configured with
CXX="ccache g++". Thanks to Rainer Müller for the report.

Optimized cached DNS lookups so they are equally efficient when
running on big-endian or little-endian systems. [Michael]

Fixed the nmap_command_path Zenmap configuration variable so that it
is actually used to start the specified Nmap executable
path. [Jurand Nogiec]

Nmap now reports scan start and end times for individual hosts
within a larger scan. The information is added to the XML host
element like so: <host starttime="1198292349" endtime="1198292370">
It is also printed in normal output if -d or "-v -v" are
specified. [Brandon, Kris, Fyodor]

"make uninstall" now uninstalls Zenmap as well as Nmap. The
uninstall_zenmap script now deletes directories that were
installed. [David]

Fixed a bug which caused Nmap to send bad checksums on Solaris 10
x86. This was due to a workaround for an Ancient Solaris 2.1 bug
which activated when the OS string matched "solaris2.1*". The
problem has now been resolved until Solaris 20 comes out and hits
our "solaris2.2*" bug workarounds. Thanks to Nathan Bills for the
problem report. Fixed by Fyodor.

Fixed a minor memory leak in getpts_simple which occurs when no
ports are to be added to 'list'. 'porttbl' is now free'd regardless
of how the function returns. [Michael]

Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs.
On Windows, this ID has to be a numeric index. On Linux and some
other OS's, this ID can instead be an interface name. Some examples
of this syntax:

fe80::20f:b0ff:fec6:15af%2
fe80::20f:b0ff:fec6:15af%eth0

[Kris]

The Zenmap installer and uninstaller are more careful about escaping
filenames and dealing with an installation root (DESTDIR). [David]

Since assert() calls are used for various security-related tests,
their safety is now ensured by keeping NDEBUG undefined throughout
Nmap, Nbase and Nsock. [Kris]

Fix a couple bugs in the way the Nmap build system checked for an
existing LUA library. A bashism caused one test to fail on system
which don't use bash as /bin/sh, and another bug fixed --with-liblua
configure option for specifying your own liblua. [Daniel
Roethlisberger]

The NSE nmap.registry.args table is now available, albeit empty,
when --script-args isn't used. Now scripts don't need to check if
it's nil before attempting to index it. [Kris]

Changed SSLv2-support.nse so that it only enumerates the list of
available ciphers with a verbosity level of at least two or with
debugging enabled. [Kris]

Replaced kibuvDetection.nse with version detection match lines which
work better than the script. [Kris, Brandon]

Removed mswindowsShell.nse as there is a version detection NULL
probe match which does the same thing. [Brandon, Fyodor, Kris]

Added a new --min-rate option that allows specifying a minimum rate
at which to send packets. This allows you to override Nmap's
congestion control algorithms and request that Nmap try to keep at
least the rate you specify. The rate is given in packets per
second. Read more in the Nmap man page
(https://nmap.org/book/man-performance.html) [David]

Create /nmap/macosx directory in SVN with files necessary to build
binary Mac OS X Nmap/Zenmap packages. We are trying to create
binary installer packages which are as useful and easy to use as the
Windows installer. This has involved a lot of work by David. We
aren't quite yet distributing the results on the Nmap download page,
but testing our beta versions is useful. You can find the latest
universal (PPC and Intel) binary test version by looking at David
Fifield's posts at http://seclists.org/nmap-dev/2008/q2/author.html .
You can also read /nmap/macosx/README in svn for more info.

Brandon added/modified a whole bunch of version detection signatures
based on systems discovered when scanning UCSD's network.

Reformat Nmap COPYING file (e.g. remove C comment markers, reduce
line length) during Nmap windows build so that it looks much better
when presented by the Windows executable (NSIS) installer. Thanks
to Jah for the patch, which was modified slightly by Fyodor.

Added NSE Datafiles library which reads and parses Nmap's nmap-*
data files for scripts. The functions (parse_protocols(),
parse_rpc() and parse_services()) return tables with numbers
(e.g. port numbers) indexing names (e.g. service names). The
rpcinfo.nse script was also updated to use this library. [Kris]

Fixed a bug in the nbase random number generator (and the way it
interacted with Nmap and MS Windows) which caused duplicates in some
instances. Thanks to Jah for reporting the problem and working with
Brandon Enright, Fyodor and Kris to fix it.

It turns out that hours contain 60 minutes, not 24. Fixed a scan
status message which was rolling over the hours column
prematurely. [David]

Added scripting options to Zenmap profile editor and command wizard
to make use of NSE. [David]

Zenmap now prints an exception message rather than segfaulting when
it can't open a display (such as when trying to connect to an X
server as an unauthorized user). Thanks to Aaron Leininger for the
initial report and Guilherme Polo for suggesting the fix.

Now ports in the "unfiltered" state can be selected for attention by
NSE scripts. [Kris]

Nbase random number generation system now avoids having a high-bit
of zero in every other byte on Windows due to Windows having such a
low RAND_MAX. [Jah]

Added release dates for each Nmap version to this CHANGELOG going
back to Nmap 3.00 (July 31, 2002). Dates are in MM/DD/YY format.
If someone wants to track down dates for the last 22% of the file
(pre-3.00), you are welcome to do so and send a patch. Searching
Google for the version number and site:seclists.org seems to work
well. [Fyodor]

Nmap RPM builds now use the versions of libdnet, libpcap, libpcre,
and liblua included with Nmap rather than whatever happens to be
installed on the build system. [David]

Zenmap can now be installed in and run in directories with a space
in the name. [David]

Reduce the maximum number of socket descriptors which Nmap is
allowed to open concurrently. This resoles a bug which could cause
"Too many open files" error on Mac OS X when not running as
root. [David]

Removed the "class" attribute from the tcpsequence element in XML
output. For a long time it had always been "unknown class" because
Nmap doesn't calculate a class anymore. The XML output version has
been increased from 1.01 to 1.02. [David]

Fixed the NmapArpCache so that it actually works. Previously, Nmap
was always falling back to the system ARP cache. Of course this
raises the question of whether NmapArpCache is needed in the first
place. [Daniel Roethlisberger]

Fix a Zenmap bug which could cause the error message
"zenmapCore.NmapOptions.OptionNotFound: No option named '' found!"
if you create a new profile without checking any options then try to
edit it. [David]

Zenmap now shows a more helpful error message when there is an error
in executing Nmap. [David]

Zenmap now creates the directory ~/.zenmap-etc to store
automatically generated GTK+ and Pango files. They used to go in the
application bundle but that doesn't work on a read-only file system
or disk image. This is what Wireshark does (~/.wireshark-etc),
although the directory could be called anything. It doesn't have to
persist across sessions.

Added a mechanism in Zenmap for including extra executable search
paths on specific platforms, so we can include /usr/local/bin in
PATH on Mac OS X by default and add the Nmap install directory on
Windows. [David]

We now use --no-strip when building Zenmap Mac OS X packages to
prevent many mysterious warnings which occur when the binary is
stripped. [David]

When Zenmap invokes Nmap, it now copies the whole environment for
the Nmap invocation rather than just providing $PATH. Windows may
need this to do proper name resolution. [David]

Corrected uptime parsing and reporting in SNMPsysdesr.nse for an
uptime of less than 46 hours. [Kris]

Modified the use of CXXFLAGS, CFLAGS, and CPPFLAGS in Nmap build
system to work better when building Mac OS X universal
binaries. [David]

Added many additional PCRE option flags to the list returned by the
NSE pcre.flags() function. [Kris]

Changed the NSE function nmap.set_port_state() so that it checks to
see if the requested port is already in the requested state. This
prevents "Duplicate port" messages during the script scan and the
inaccurate "script-set" state reason. [Kris]

Canonicalize NSE script license text--more than half did not even
spell license correctly. They all still say that they are under
Nmap's license, just with consistent capitalization and spelling,
and now a link to Nmap legal page at
https://nmap.org/book/man-legal.html .

Updated ripeQuery.nse to not print extraneous whitespace. [Kris]

Switched telnet brute force password cracking NSE (bruteTelnet.nse)
to vulnerability category so it isn't executed by default. It can
take too long to run. [Eddie]

NSE status messages now print host name and IP, rather than just the
host name (which was blank when Nmap didn't know it). [Jah]

Allocate 128 characters for the idle scan ScanProgressMeter
title. Previously it was 32 characters. The "idle scan against " and
the \0 terminator take up 19 characters, leaving only 13, which
isn't enough to represent all IP addresses, let alone host
names. Bug reported by Stephan Fijneman, fixed by David.

Nmap has moved. Everything at http://insecure.org/nmap/ can now be
found at https://nmap.org . That should save your fingers from a
little bit of typing. Even though transparent redirectors are in
place for the old URLs, please update your links and bookmarks. And
if you don't have a link to Nmap on your web site, now is a good
time to add one :).

All of your OS detection fingerprints up until March 10, 2008 have
now been integrated by David. The second generation database has
grown from 1,085 fingerprints representing 421 operating
systems/devices, to 1,304 fingerprints representing 478 systems.
That is an increase of more than 20%. New fingerprints were added
for Mac OS X Tiger, iPod Touch, the La Fonera WAP, FreeBSD 7.0,
Linux 2.6.24, Windows 2008, Vista, OpenBSD 4.2, and of course
hundreds of broadband routers, VoIP phones, printers, some crazy
oscilloscope, etc. We get a ton of new fingerprint submissions, but
not as many corrections. Please remember to visit
https://nmap.org/submit/ if Nmap gives you bad results, whether they
are completely wrong or just a slight mistake (like Nmap says Linux
2.6.20-2.6.23, but you're running 2.6.24). Of course you need to be
certain you know exactly what is running on the target before you do
this.

All of your service fingerprints and corrections submitted until
January 14, 2008 have now been integrated by Doug. As usual, he has
documented his adventures at http://hcsw.org/blog.pl/33 . More than
a hundred signatures were added, growing the database to 4,645
signatures for 457 services. Corrections are welcome for service
detection too -- visit https://nmap.org/submit/ if you get incorrect results.

Nmap now saves the target name (if any) specified on the command
line, since this can differ from the reverse DNS results. It can be
particularly important when doing HTTP tests against virtual hosts.
The data can be accessed from target->TargetName() from Nmap proper
and host.targetname from NSE scripts. The NSE HTTP library now uses
this for the Host header. Thanks to Sven Klemm for adding this
useful feature.

Added NSE HTTP library which allows scripts to easily fetch URLs
with http.get_url() or create more complex requests with
http.request(). There is also an http.get() function which takes
components (hostname, port, and path) rather than a URL. The
HTTPAuth, robots, and showHTMLTitle NSE scripts have been updated to
use this library. Sven Klemm wrote all of this code.

Fixed an integer overflow in the DNS caching code that caused nmap
to loop infinitely once it had expunging the cache of older
entries. Thanks to David Moore for the report, and Eddie Bell for
the fix.

Added IPv6 host support to the RPC scan. Attempting this before
(via -sV) caused a segmentation fault. Thanks to Will Cladek for
the report. [Kris]

Fixed an event handling bug in NSE that could cause execution of
some in-progress scripts to be excessively delayed. [Marek]

A new NSE table library (tab.lua) allows scripts to deliver better
formatted output. The Zone transfer script (zoneTrans.nse) has been
updated to use this new facility. [Eddie]

Rewrote HTTPpasswd.nse to use Sven's excellent HTTP library and to
do some much-needed cleaning up. [Kris]

Added a new MsSQL version detection probe and a bunch of match lines
developed by Tom Sellers.

Added a new service detection probe and signatures for the memcached
service [Doug]

Added new service detection probes and signatures for the Beast
Trojan and Firebird RDBMS. [Brandon Enright]

Fixed a crash in Zenmap which occurred when attempting to edit or
create a new profile based on an existing one when there wasn't one
selected. The error message was:

'NoneType' object has no attribute 'toolbar'

Now a new Profile Editor is opened. Thanks to D1N (d1n@inbox.com)
for the report. [Kris]

Fixed another crash in Zenmap which occurred when exiting the
Profile Editor (while editing an existing profile) by clicking the
"X", then going to edit the same profile again. The error message
was: "No option named '' found!". Now the same window that appears
when clicking Cancel comes up when clicking "X". Thanks to David
for reporting this bug. [Kris]

Another Zenmap bug was fixed: ports consolidated into "extra ports"
groups are now counted and shown in the "Host Details" tab. The
closed, filtered and scanned port counts in this tab didn't contain
this information before so they were usually very inaccurate. [Kris]

Another Zenmap bug was fixed: the --scan-delay and --max-scan-delay
buttons ("amount of time between probes") under the Advanced tab in
the Profile Editor were backwards. [Kris]

Reordered the UDP port selection for Traceroute: a closed port is
now chosen before an open one. This is because an open UDP port is
usually due to running version detection (-sV), so a Traceroute
probe wouldn't elicit a response. [Kris]

We now escape newlines, carriage returns, and tabs (\n\r\t) in XML
output. While those are allowed in XML attributes, they get
normalized which can make formatting the output difficult for
applications which parse Nmap XML. [Joao Medeiros, David, Fyodor]

The Zenmap man page is now installed on Unix when "make install" is
run. This was supposed to work before, but didn't. [Kris]

Improved Windows executable installer by making uninstall work better
on systems which changed the default install path. The shortcut is
also now deleted properly on Vista. [Rob Nicholls]

Windows installer is now generated using NSIS 2.34 rather than
2.13. [Fyodor]

Added UPnP-info NSE script by Thomas Buchanan. It gathers
information from the UPnP service (UDP port 1900) which listens on
many network devices such as routers, printers, and networked media
players.

Fixed a --traceroute bug (assertion failure crash) which occurred
when the first hop of the first host in a tracegroup (reference
trace) times out. Thanks to Sebastián García for the bug report and
testing, and Eddie for the patch.

Fix a problem which prevented proper port number matching in
NSE scripts (port_or_service function) due to a variable
shadowing bug. [Sven Klemm]

Fixed Nmap WinPcap installer to use CurrentVersion registry key on
Windows rather than VersionNumber to more reliably detect Vista
machines. This should prevent the XP version of Packet.dll from
being installed on Vista. [Rob Nicholls]

Added rpcinfo.nse script, which contacts a listening RPC portmapper
and reports the listening services and port information (like
rpcinfo -p does). The script was written by Sven Klemm. Fyodor
then enhanced the RPC number list with all of the entries from
nmap-rpc.

Added a new NSE script (MySQLinfo) which prints MySQL server information
such as the protocol and version numbers, status, thread id, capabilities,
and password salt. [Kris]

Nmap's output options (-oA, -oX, etc.) now support strftime()-like
conversions in the filename. %H, %M, %S, %m, %d, %y, and %Y are
all the same as in strftime(). %T is the same as %H%M%S, %R is the
same as %H%M, and %D is the same as %m%d%y. A % followed by any
other character just yields that character (%% yields a %). This
means that "-oX 'scan-%T-%D.xml'" uses an XML file in the form of
"scan-144840-121307.xml". [Kris]

Fixed WinPcap installer to install the right version of Packet.dll
on Windows Vista. [Fyodor]

Fixed our WinPcap installer so that it waits for a WinPcap uninstall
(if needed) to complete before trying to install the new WinPcap.
[Jah]

Fix a bunch of warning/error messages which contained an extra
newline. [Brandon Enright]

Fixed an error when attempting to scan localhost as an unprivileged
user on Windows (nmap --unprivileged localhost). The error was:

Skipping SYN Stealth Scan against localhost (127.0.0.1) because
Windows does not support scanning your own machine (localhost) this
way.

Now connect scan is used instead of SYN scan. [David]

Fixed a bug that prevented the --resume option from working on
Windows. The error message was:
..\utils.cc(996): CreateFileMapping(), file 'testresume', length 103,
mflags 000 00006: The parameter is incorrect.(87)
[Fixed by David, reported by Rob Nicholls]

A Zenmap crash was fixed. Scanning once, then scanning another target
on the same scan tab caused an ImportError ("list index out of range")
in zenmapGUI/ScanNotebook.py. Joao Medeiros reported the
bug. [David]

Updated a couple of version detection signatures due to problem
reports by Lionel Cons. [Doug]

NSE scripts can now be specified by absolute path to the --script
option. This was supposed to work before, but didn't. [David]

Insert a path separator in returned paths in init_scandir on
Windows. Otherwise options such as "--scripts=scripts" (where
scripts is a directory) were failing with error messages about being
unable to access things like "C:\Nmap\scriptsanonFTP.nse" (should be
"C:\Nmap\scripts\anonFTP.nse"). [David]

Prevent old bit.dll and pcre.dll files from being installed in
nselib directory by Windows executable installer. Bit.dll is still
installed in nselib-bin where it belongs. Thanks to Rob Nicholls for
reporting the problem. [Fyodor]

Don't install the orphaned and incomplete Zenmap HTML documentation.
Instead point to the Nmap documentation site, which is provides more
comprehensive and up-to-date Nmap docs. We're rapidly improving the
online Zenmap docs as well. Of course the Nmap and (new!) Zenmap
man pages are still installed on Unix. [Fyodor]

Fix mswin32/Makefile so that the new nselib-bin directory is
properly included in the Nmap win32 zipfile distribution. Thanks
to Rob Nicholls for reporting the problem. [Fyodor]

Fix host reason reported when the target is found to be "down" due
to no response. Nmap now reports "no-response" rather than
"unknown-reason" [Kris]

David did a huge OS fingerprint integration marathon, going through
all of your submissions (more than 1600) since August 20. The 2nd
generation database has grown more than 30% to 1,085 entries! Many
of the existing fingerprints were improved as well. Notable new or
greatly improved entries include the iPhone, iPod Touch, Mac OS X
Leopard FreeBSD 7.0, Linux 2.6.23, Nokia cell phones (E61, E65, E70,
E90, N95), and OpenBSD 4.2. Of course there were all manner of new
printers, cable/DSL routers, switches, enterprise routers, IP
phones, cell phones and a heap of obscure equipment such as the
BeaconMedaes medical gas alarm. Windows Vista fingerprints were
also improved significantly. Please keep those OS fingerprint
submissions and corrections coming!

Doug integrated all of your version detection fingerprints and
corrections since October 4. The DB now has an incredible 4,542
signatures for 449 service protocols. The service protocols with
the most signatures are http (1,473), telnet (459), ftp (423), smtp
(327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46)
and nntp (44).

Included the netbios-smb-os-discovery.nse script which uses NetBIOS
and SMB queries to guess OS version. This script was written by
Judy Novak and contributed by Sourcefire.

Canonicalized the interface type numbers used internally by
libdnet. Also Libdnet now recognizes devices with type
INTF_TYPE_IEEE80211 as Ethernet devices. This ought to make
wireless network scanning work on Windows Vista. For more background
see http://seclists.org/nmap-dev/2007/q4/0391.html . [David]

Documented the "--script all" option in the man page and NSE
article. This option executes all scripts in the NSE database
regardless of category. [Fyodor]

NSE scripts can now be specified by name without the .nse
extension. So instead of using "--script
bruteTelnet.nse,HTTPpasswd.nse,SQLInject.nse,robots.nse", you can
just pass "--script bruteTelnet,HTTPpasswd,SQLInject,robots". [Kris]

Removed some auto-generated files from the new nselib-bin directory
as they could cause compatibility problems. Also updated
mswin32/Makefile to reflect the new nselib-bin DLL location [David]

ripeQuery.nse was updated to avoid printing some useless
information. [Kris]

Compatibility with systems that have the pcre.h header file in its
own pcre directory should now be fixed for real. [Fyodor]

Enhanced the radmind service detection signature and added a
deprecated radmind port to nmap-services. [Matt Selsky]

Zenmap now gives better errors to stdout when it can't even pop up a
dialog box (such as when PyGTK can't be loaded). [David]

Fixed a Zenmap crash which occurred on Mac OS X and possibly other
platforms. The error message said: "object of type
'ScanHostDetailsPage' has no len()". [David]

Fixed a crash which occurred when an NSE script called
set_port_version() at times that version scanning was not
enabled. [Diman]

Fixed the NSIS installer so that it does not include some excess
files (mswin32/* and .svn). Thanks to Alan Jones for reporting the
problem. [Fyodor]

Renamed some Zenmap Python packages to allow Zenmap and Umit to be
installed at the same time. [David]

Updated nmap-mac-prefixes with the latest IEEE data. Also added
back Cooperative Linux virtual NIC which was inadvertently removed in
a previous release. [Fyodor]

Zenmap now has a man page! It isn't very long yet, but covers the
basics. Thanks to David for writing this.

A new NSE script, promiscuous.nse, scans devices on a local network
looking for sniffers (devices running in promiscuous mode). This
script is from Marek Majkowski and is the first to use the NSE pcap
extension system (which he also wrote). The script is only in the
discovery category for now so it does not run by default. Specify
it by name for now. We may make it default after the upcoming
stable release.

Nmap can now handle IP aliases on Windows. A given device such as
eth0 might have several IP addresses. Nmap will use the primary
address, so you need to use -S if you want to specify a different
one. [David]

An exception (rather than luaL_argerror) is now thrown when an SSL
connection is attempted but OpenSSL isn't available. [David]

There is now an nmap.have_ssl NSE function so you can avoid doing
NSE probes when SSL isn't available. [David]

Zenmap now looks for its data files relative to the directory of the
zenmap script to allow running from the build/svn directory. [David]

NSE C modules are now installed into an nselib-bin directory. This
was needed to make the dns-test-open-recursion and zoneTrans NSE
scripts work properly, since they use the NSE bit library
(bit.so). [Diman, Fyodor]

Axillary autoconf scripts such as config.guess, config.sub,
depcomp, install-sh, and ltmain.sh were deleted from Nmap
subdirectories because configure is smart enough to use the ones from
the parent directory. This decreases the Nmap source tarball and svn
checkout sizes. [David]

Nmap now compiles on systems which have the libPCRE include file in
pcre/pcre.h rather than just pcre.h. Thanks to Lionel Cons for the
report. [Fyodor]

Nmap binary is now stripped again, but it now uses -x to avoid
stripping dynamically loaded NSE functions on Mac OS X. [David]

Normalized Zenmap's handling of results files specified on the
command line. In some cases, Zenmap would ignore specified results
files just because some unrelated options were used. [David]

configure.ac now uses literal directory names rather than variable
references in calls to AC_CONFIG_SUBDIRS. This removes an annoying
warning message which has existed for years when you regenerate
configure. [David]

Fixed a configure.ac error which prevented you from specifying an
alternative libnsock directory. [David]

Check for Python in configure only if Zenmap is requested, and bail
out if Zenmap is explicitly requested (--with-zenmap) and Python is
not available. [David]

Static code analysis company Coverity generously offered to scan the
Nmap code base for flaws, and Kris volunteered to go through their
report and fix the ones which were actual/possible problems rather
than false positives. Their system proved quite useful, and about a
dozen potential problems were fixed. For details, see Kris'
11/15/07 SVN commits.

Improved the Zenmap RPM file so that it should work on either Python
2.4 or Python 2.5 machines. It should also work on any platform (x86,
x86_64, etc.) [David]

A number of Solaris compilation fixes were added. Hopefully it
works for more Solaris users now. We also fixed an alignment issue
which could cause a bus error on Solaris. [David]

When an NSE script changes the state of a port (e.g. from
open|filtered to open), the --reason flag is now changed to
"script-set". Also, the port state reason is now available to NSE
scripts through a "reason" element in the port-table. Thanks to
Matthew Boyle for the patch.

When version detection changes the state of a port, the reason field
is now updated as well (to udp-response or tcp-response as
applicable). Thanks to Thomas Buchanan for the patch.

Reworded an error message after a woman reported that it was "highly
offensive and sexist". She also noted that "times have changed and
many women now use your software" and "a sexist remark like the one
above should have no place in software." The message was: "TCP/IP
fingerprinting (for OS scan) requires root privileges. Sorry,
dude.". I checked svn blame to call out the insensitive,
chauvinistic jerk who wrote that error message, but it was me :).

We received a bug report through Debian entitled "Nmap is a
clairvoyant" because when you run it with -v on September 1 1970, it
reports "Happy -27th Birthday to Nmap, may it live to be 73!". We
have decided that clairvoyance is a feature and ignored the report.

We no longer strip the Nmap binary before installing it, as that was
leading to a runtime error on Mac OS X: "lazy symbol binding failed:
Symbol not found: _luaL_openlib". Unfortunately, the unstripped
Nmap binary can be much larger (e.g. 4MB vs. 800KB) so we are
working on a better fix which allows us to continue stripping the
binary on other platforms.

NmapFE is now gone. It had a good run as the default Nmap GUI
for more than 8 years (since April 1999). But after two years of
development, Zenmap is ready to take its place. Zenmap is portable
and provides a much better interface to executing and (especially)
viewing and analyzing Nmap results. David did the honors of
removing NmapFE.

We have lost another old friend as well: 1st generation OS
detection system. Nmap revolutionized OS detection when this was
released in October 1998 and it served us well for more than 9 years
as the database grew to 1,684 fingerprints. But the 2nd generation
system incorporates everything we learned during all those years and
has proven itself even more effective. I couldn't bear to kill this
myself, so David did the dirty work.

There is no longer any artificial limit on the number of ports or
protocols that can be used for host discovery. Port lists for ping
scan now use the same syntax as the -p option except that T:, U:,
and P: are not allowed. This means that you can do

nmap -PS1-1000 target
nmap -PAhttp,https target
nmap -PU'[-]' target

[David]

Zenmap is now available packaged in RPM format. Since Zenmap is
written in Python, we no longer have to have separate x86 and x86_64
versions like we did with NmapFE (and like we still do with
Nmap). [David]

Fixed a crash (assertion failure) which could occur during ARP Ping
scan [Kris]

Fixed Zenmap so that it can handle asterisks in the command line
(e.g. "nmap 192.168.*.*" or "nmap -phttp* localhost") [David]

Change the Zenmap bug report dialogue to now give instructions for
reporting issues to nmap-dev. [David]

Modified higwidgets/higdialogs.py for compatibility with old
versions of PyGTK. [David]

Removed the old massping() system, since the functionality has now
been migrated into the existing ultra_scan() system (which is used
for port scanning too). Thanks to David for doing the migration,
which involved a lot of work and testing. The new system is
frequently faster and more accurate than massping(), and some of the
new algorithms benefit port scans too.

Renamed Umit to Zenmap to reduce confusion between the version we
ship with Nmap as the integrated GUI and the version maintained
separately at umit.sourceforge.net. We are excited about Zenmap and
expect to remove NmapFE in the near future

Integrated all of your Q3 service detection submissions! We have
now surpassed 4500 signatures and are approaching 500 service
protocols. Wow! Thanks to Doug for doing the integration. His
notes on the crazy and interesting services discovered this quarter
are at http://hcsw.org/blog.pl/31 .

Added a new ping type: IPProto Ping. Use -PO (that is the letter O
as in prOtOcOl, not a zero). This is similar to protocol scan (-sO)
in that it sends IP headers with different protocols in the hope of
eliciting a response from targets. The default is to send with
protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP tunnel), but you can
specify different protocol numbers on the command line the same way
you specify TCP/UDP ports to -PS or -PU. To reduce confusion, we now
recommend that -PN be used when you don't want pings done rather
than using the old -P0 (zero). [Kris]

The SMTPcommands.nse script was updated to support the HELP query in
addition to EHLO [Jasey DePriest]

Added --ttl support for connect() scans (-sT). [Kris]

Combine the Zenmap setup scripts into one portable setup.py rather
than having separate versions for Windows, Unix, and Mac OS X.

Removed a bunch of unnecessary/incomplete code and data files from
Zenmap. [David]

Nmap has better dependency tracking now such that it no longer
builds the executable every time you type 'make'. This was causing
problems where 'make; sudo make install' would create a root-owned
nmap executable because it was rebuilt as part of 'make
install'. [David]

Integrated all of your OS detection new fingerprint submissions and
correction reports. The grew more DB more than 18% to 825
fingerprints. Keep those submissions coming! [David]

Made a number of significant improvements to host discovery
algorithms for better performance and reliability. [David]

Fixed a bug which prevented the first OS detection guess from being
included in XML output. This only applies when no exact matches
were found. Thanks to Martyn Tovey of Netcraft for reporting the
problem and helping to track it down in the code.

Improve the script scan scheduling system to prevent the system from
running out of sockets by executing too many scripts concurrently
during large scans. Thanks to Brandon Enright for finding the bug
and Stoiko for fixing it.

Updated the *.dmp preprocessed Nmap data files used by UMIT, and
also updated the scripts used to create them. [David]

WinPcap installer was updated so that on Windows Vista it uses a
different Packet.dll and omits WanPacket.dll. [Eddie]

Unix installation now places NSELib dynamic libraries in 'libexec'
rather than 'share' directories, since they are architecture
dependent. Thanks to Christoph J. Thompson for the patch.

Fix bug related to users providing custom libpcre location to
configure (reported by Daniel Johnson, fixed by Stoiko). A patch
from Marek Majkowski which caps the number of sockets opened by NSE
scripts was also applied.

The UMIT version number is automatically updated to be the same as
the Nmap version number rather than always being 0.9.4. [David]

UMIT now sorts port numbers numerically rather than alphabetically
[Adriano]

Three UMIT data files (options.xml, profile_editor.xml, and
wizard.xml) are installed in the shared UMIT data directory
(e.g. /usr/share/umit/misc) rather than in every user's ~/.umit
directory. [David]

Added HTTPtrace demo NSE script by Kris, who also updated his
HTTPpasswd script.

A bunch of capitalization/spelling canonicalization changes were
made to Nmap output. For example: ftp to FTP and idlescan to
idle scan.

Made some improvements to the nmap.xsl stylesheet for converting
Nmap XML results to HTML reports. It now does a better job at
removing empty sections and headers. Thanks to Henrik Lund Kramshoej
for the patch.

Updated nmap-mac-prefixes with the latest IEEE data.

Disabled auto-generation of libpcre/pcre_chartables.c because that
was useless for our purposes and could also cause some version
control related problems. [David]

Included David's major massping migration project. The same
underlying engine is now used for ping scanning as for port
scanning. We hope this will lead to better performance and
accuracy, as well as helping to de-bloat Nmap. Please test it out
and report your results to nmap-dev! For more details, see
http://seclists.org/nmap-dev/2007/q3/0277.html

Fixed UMIT bug which occurred when installing to a non-standard
directory (e.g. a home directory). This caused Python to not be able
to find the necessary files. [Kris]

Fixed an error related to version scans against SSL services on
UNIX. The error said "nsock_connect_ssl called - but nsock was
built w/o SSL support. QUITTING". Thanks to Jasey DePriest for
tracking down the problem and David Fifield for fixing it.

Fixed (I hope) a problem with running Nmap on Mac OS X machines with
VMWare Fusion running. The error message started with:
"getinterfaces: Failed to open ethernet interface (vmnet8). A
possible cause on BSD operating systems is running out of BPF
devices ...." For more details, see
http://seclists.org/nmap-dev/2007/q3/0254.html .

Check that --script arguments are reasonable when Nmap starts rather
than potentially waiting for a bunch of port scanning to finish
first. [Stoiko]

Fixed (we hope) a UMIT problem which resulted in the error message:
"NameError: global name 'S_IRUSR' is not defined". [Adriano]

Removed an error message which used to appear when you quit UMIT on
Windows. The message used to say "Errors occurred - See the logfile
[filename] for details." [Adriano]

Fix permissions on files installed by Umit so that it should work
even if you do 'make install' from an account with a 077 umask.

Add a feature to Umit that lets you search your unsaved
scans. [Eddie]

Added back a previously removed feature which allows you to specify
'rnd' as one of your decoys (-D option) to let Nmap choose a random
IP. You also use a format such as rnd:5 to generate five random
decoys. [Kris]

Reference guide (man page) updates to the NSE section, and some
general cleanup.

When Nmap finishes, it now says "Nmap done" rather than "Nmap run
completed". No need to waste pixels on excess verbiage.

All of your 2nd Quarter 2007 Nmap version detection fingerprints
were integrated by Doug. The DB now contains 4,347 signatures for
439 service protocols. Doug describes the highlights (craziest
services found) in his integration report at
http://hcsw.org/blog.pl/29 .

NSE now supports raw IP packet sending and receiving thanks to a
patch from Marek Majkowski. Diman handled testing and applied the
patch.

Nmap now has Snprintf() and Vsnprintf() as safer alternatives to the
standard version. The problem is that the Windows version of these
functions (_snprintf, _vsnprintf) doesn't properly terminate strings
when it has to truncate them. These wrappers ensure that the string
written is always truncated. Thanks to Kris for doing the work.

Upgraded libpcre from version 6.7 to 7.2 [Kris]

Merged various Umit bug fixes from SourceForge trunk: "missing import
webbrowser on umit", "Missing markup in 'OS Class' on
HostDetailsPage", "some command line options are now working
(target, profile, verbose, open result file and run an nmap
command)", "removing unused functions import from os.path",
"verbosity works on command line"

Eddie fixed several Umit bugs. Umit now sets the file save
extension to .usr unless the user specifies something else. The
details highlight regular expression was improved and an error message was added
when no target was specified and -iR and -iL aren't used.

reason.cc/reason.h renamed to portreasons.cc/.h because a reason.h
in the Windows platform SDK was causing conflicts. [Kris]

Fixed a bug in --iflist which would lead to crashes. Thanks to
Michael Lawler for the report, and Eddie for the fix.

The UMIT graphical Nmap frontend is now included (as an ALPHA TEST
release) with the Nmap tarball distribution. It isn't yet in the
RPMs or the Windows distributions. UMIT is written with Python/GTK
and has many huge advantages over NmapFE. It installs from the Nmap
source tarballs as part of the "make install" process unless you
specify --without-umit to configure. Please give UMIT a try (the
executable is named umit) and let us know the results! We hope to
include UMIT in the Windows Nmap distributions soon.

Added the --reason option which explains WHY Nmap assigned a port
status. For example, a port could be listed as "filtered" because
no response was received, or because an ICMP network unreachable
message was received. [Eddie]

Integrated all of your 2nd generation OS detection submissions,
increasing the database size by 68% since 4.21ALPHA4 to 699
fingerprints. The 2nd generation database is now nearly half (42%)
the size of the original. Please keep those submissions coming so
that we can do another integration round before the SoC program ends
on August 20! Thanks to David Fifield for doing most of the
integration work!

Integrated version detection submissions. The database has grown by
more than 350 signatures since 4.21ALPHA4. Nmap now has 4,236
signatures for 432 service protocols. As usual, Doug Hoyte deserves
credit for the integration marathon, which he describes at
http://hcsw.org/blog.pl .

Added the NSE library (NSELib) which is a library of useful
functions (which can be implemented in LUA or as loadable C/C++
modules) for use by NSE scripts. We already have libraries for bit
operations (bit), list operations (listop), URL fetching and
manipulation (url), activation rules (shortport), and miscellaneous
commonly useful functions (stdnse). Stoiko added the underlying
functionality, though numerous people contributed to the library
routines.

Added --servicedb and --versiondb command-line options which allow
you to specify a custom Nmap services (port to port number translation
and port frequency) file or version detection database. [David
Fifield]

The build dependencies were dramatically reduced by removing
unnecessary header includes and moving header includes from .h
files to .cc as well as adding some forward declarations. This
reduced the number of makefile.dep dependencies from 1469 to 605.
This should make Nmap compilation faster and prevent some
portability problems. [David Fifield]

Canonicalized a bunch of OS classes, device types, etc. in the OS
detection and version scanning databases so they are named
consistently. [Doug]

If we get a ICMP Protocol Unreachable from a host other than our
target during a port scan, we set the state to 'filtered' rather than
'closed'. This is consistent with how port unreachable errors work for
udp scan. [Kris]

Relocated OSScan warning message (could not find 1 closed and 1 open
port). Now output.cc prints the warning along with a targets OSScan
results. [Eddie]

Fixed a bug which caused port 0 to be improperly used for gen1 OS
detection in some cases when your scan includes port 0 (it isn't
included by default). Thanks to Sebastian Wolfgarten for the report
and Kris Katterjohn for the fix.

A number of changes were made to the Windows build system to handle
version numbers, publisher field, add/remove program support,
etc. [Eddie]

The Nmap -A option now enables the traceroute option too [Eddie]

Improved how the Gen1 OS Detection system selects which UDP ports to
send probes to. [Kris]

Updated nmap-mac-prefixes to latest IEEE data as of 5/18/07. Also
removed some high (greater than 0x80) characters from some company
names because they were causing this error on Windows when Nmap is
compiled in Debug mode:
isctype.c Line 56: Expression: (unsigned)(c + 1) <= 256".
Thanks to Sina Bahram for the initial report and Thomas Buchanan for
tracking down the problem.

Added a SIP (IP phone) probe from Matt Selsky to nmap-service-probes.

Fixed a bug which prevented the NSE scripts directory from appearing
in the Win32 .zip version of Nmap.

Fixed a bug in --traceroute output. It occurred when a traced host could
be fully consolidated, but only the first hop number was outputted. [Kris]

The new "rnd" option to -D allows you to ask Nmap to generate random
decoy IPs rather having to specify them all yourself. [Kris]

Fixed a Traceroute bug relating to scanning through the localhost
interface on Windows (which previously caused a crash). Thanks to
Alan Jones for the report and Eddie Bell for the fix.

Fixed a traceroute bug related to tracing between interfaces of a
multi-homed host. Thanks to David Fifield for reporting the problem
and Eddie Bell for the fix.

Service detection (-sV) and OS detection (-O) are now (rightfully)
disabled when used with the IPProto Scan (-sO). Using the Service
Scan like this led to premature exiting, and the OS Scan led to gross
inaccuracies. [Kris]

Performed a huge OS detection submission integration marathon. More
than 500 submissions were processed, increasing the 2nd generation
OS DB size 65% to 381 fingerprints. And many of the existing ones
were improved. We still have a bit more than 500 submissions (sent
after January 16) to process. Please keep those submissions coming!

Integrated all of your Q32006 service fingerprint submissions. The
nmap-service-probe DB grew from 3,671 signatures representing 415
service protocols to 3,877 signatures representing 426 services. Big
thanks to version detection czar Doug Hoyte for doing this. Notable
changes are described at http://hcsw.org/blog.pl?a=20&b=20 .

Nmap now has traceroute support, thanks to an excellent patch by
Eddie Bell. The new system uses Nmap data to determine which sort of
packets are most likely to slip through the target network and
produce useful results. The system is well optimized for speed and
bandwidth efficiency, and the clever output system avoids repeating
the same initial hops for each target system. Enable this
functionality by specifying --traceroute.

Fix nmap.xsl (the transform for rendering Nmap XML results as HTML)
to fix some bugs related to OS detection output. Thanks to Tom
Sellers for the patch.

Fixed a bug which prevented the --without-liblua compilation option
from working. Thanks to Kris Katterjohn for the patch.

Fixed a bug which caused nmap --iflist to crash (and might have
caused crashes in other circumstances too). Thanks to Kris
Katterjohn for the report and Diman Todorov for the fix.

Applied a bunch of code cleanup patches from Kris Katterjohn.

Some scan types were fixed when used against localhost. The UDP Scan
doesn't find its own port, the TCP Scan won't print a message (with -d)
about an unexpected packet (for the same reason), and the IPProto Scan
won't list every port as "open" when using --data-length >= 8. [Kris]

The IPProto Scan should be more accurate when scanning protocol 17 (UDP).
ICMP Port Unreachables are now checked for, and UDP is listed as "open"
if it receives one rather than "open|filtered" or "filtered". [Kris]

The --scanflags option now also accepts "ECE", "CWR", "ALL" and "NONE" as
arguments. [Kris]

The --packet-trace option was added to NmapFE. The Ordered Ports (-r)
option in now available to non-root users on NmapFE as well. [Kris]

Integrated the Nmap Scripting Engine (NSE) into mainline Nmap.
Diman Todorov and I have been working on this for more than six months, and
we hope it will expand Nmap's capabilities in many cool ways. We're
accepting (and writing) general purpose scripts to put into Nmap
proper, and you can also write personal scripts to deal with issues
specific to your environment. The system is documented at
https://nmap.org/book/nse.html .

Fixed a segmentation fault in the new OS detection system
which was reported by Craig Humphrey and Sebastian Garcia.

Fixed a TCP sequence prediction difficulty indicator bug. The index
is supposed to go from 0 ("trivial joke") to about 260 (OpenBSD).
But some systems generated ISNs so insecurely that Nmap went
berserk and reported a negative difficulty index. This generally
only affects some printers, crappy cable modems, and Microsoft
Windows (old versions). Thanks to Sebastian Garcia for helping me
track down the problem.

Integrated all of your OS detection submissions since RC1. The DB
has increased 13% to 214 fingerprints. Please keep them coming!
New fingerprints include versions of z/OS, OpenBSD, Linux, AIX,
FreeBSD, Cisco CatOS, IPSO firewall, and a slew of printers and
misc. devices. We also got our first Windows 95 fingerprint,
submitted anonymously of course :).

Fixed (I hope) the "getinterfaces: intf_loop() failed" error which
was seen on Windows Vista. The problem was apparently in
intf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX to
MAX_IF_TYPE rather than 32). Thanks to Dan Griffin
(dan(a)jwsecure.com) for tracking this down!

Integrated all of your OS detection submissions, bringing the
database up to 149 fingerprints. This is an increase of 28% from
ALPHA10. Notable additions include FreeBSD 6.1, a bunch of HP
LaserJet printers, and HP-UX 11.11. We also got a bunch of more
obscure submissions like Minix 3.1.2a and "Ember InSight Adapter for
programming EM2XX-family embedded devices". Who doesn't have a few
of those laying around? I'm hoping that all the obscure submissions
mean that more of the mainstream systems are being detected out of
the box! Please keep those submissions (obscure or otherwise)
coming!

Integrated the newly submitted OS fingerprints. The DB now contains
71 fingerprints, up 27% from 56 in ALPHA8. Please keep them coming!
We still only have 4.2% as many fingerprints as the gen1 database.

Added the --open option, which causes Nmap to show only open ports.
Ports in the states "open|closed" and "unfiltered" might be open, so
those are shown unless the host has an overwhelming number of them.

Nmap gen2 OS detection used to always do 2 retries if it fails to
find a match. Now it normally does just 1 retry, but does 4 retries
if conditions are good enough to warrant fingerprint submission.
This should speed things up on average. A new --max-os-tries option
lets you specify a higher lower maximum number of tries.

Added --unprivileged option, which is the opposite of --privileged.
It tells Nmap to treat the user as lacking network raw socket and
sniffing privileges. This is useful for testing, debugging, or when
the raw network functionality of your operating system is somehow
broken.

Fixed a confusing error message which occurred when you specified a
ping scan or list scan, but also specified -p (which is only used for
port scans). Thanks to Thomas Buchanan for the patch.

NmapFE now uses a spin button for verbosity and debugging options so
that you can specify whatever verbosity (-v) or debugging (-d) level
you desire. The --randomize-hosts option was also added to NmapFE.
Thanks to Kris Katterjohn for the patches.

A dozen or so small patches to Nmap and NmapFE by Kris Katterjohn.

Removed libpcap/Win32 and libpcap/msdos as Nmap doesn't use them.
This reduces the Nmap tar.bz2 by about 50K. Thanks to Kris Katterjohn
for the suggestion.

Did a bunch of Nmap 2nd generation fingerprint integration work.
Thanks to everyone who sent some in, though we still need a lot more.
Also thanks to Zhao for a bunch of help with the integration tools.
4.20ALPHA6 had 12 fingerprints, this new version has 42. The old DB
(still included) has 1,684.

Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt) as of September 6, 2006.
Also added the unregistered PearPC virtual NIC prefix, as suggested
by Robert Millan (rmh(a)aybabtu.com).

Fixed a bug in 2nd generation OS detection which would (usually) prevent
fingerprints from being printed when systems don't respond to the 1st
ICMP echo probe (the one with bogus code value of 9). Thanks to
Brandon Enright for reporting and helping me debug the problem.

Fixed some problematic Nmap version detection signatures which could
cause warning messages. Thanks to Brandon Enright for the initial patch.

Worked with Zhao to improve the new OS detection system with
better algorithms, probe changes, and bug fixes. We're
now ready to start growing the new database! If Nmap gives you
fingerprints, please submit them at the given URL. The DB is still
extremely small. The new system is extensively documented at
https://nmap.org/book/osdetect.html .

Nmap now supports IP options with the new --ip-options flag. You
can specify any options in hex, or use "R" (record route), "T"
(record timestamp), "U") (record route & timestamp), "S [route]"
(strict source route), or "L [route]" (loose source route). Specify
--packet-trace to display IP options of responses. For further
information and examples, see https://nmap.org/book/man.html and
http://seclists.org/nmap-dev/2006/q3/0052.html . Thanks to Marek
Majkowski for writing and sending the patch.

Integrated all 2nd quarter service detection fingerprint
submissions. Please keep them coming! We now have 3,671 signatures
representing 415 protocols. Thanks to version detection czar Doug
Hoyte for doing this.

Nmap now uses the (relatively) new libpcap pcap_get_selectable_fd
API on systems which support it. This means that we no longer need
to hack the included Pcap to better support Linux. So Nmap will now
link with an existing system libpcap by default on that platform if
one is detected. Thanks to Doug Hoyte for the patch.

Updated the included libpcap from 0.9.3 to 0.9.4. The changes I
made are in libpcap/NMAP_MODIFICATIONS . By default, Nmap will now
use the included libpcap unless version 0.9.4 or greater is already
installed on the system.

Applied some nsock bugfixes from Diman Todorov. These don't affect
the current version of Nmap, but are important for his Nmap
Scripting Engine, which I hope to integrate into mainline Nmap in
September.

Fixed a bug which would occasionally cause Nmap to crash with the
message "log_vwrite: write buffer not large enough". I thought I
conquered it in a previous release -- thanks to Doug Hoyte for finding a
corner case which proved me wrong.

Fixed a bug in the rDNS system which prevented us from querying
certain authoritative DNS servers which have recursion explicitly
disabled. Thanks to Doug Hoyte for the patch.

--packet-trace now reports TCP options (thanks to Zhao Lei for the
patch). Thanks to the --ip-options addition also found in this
release, IP options are printed too.

Cleaned up Nmap DNS reporting to be a little more useful and
concise. Thanks to Doug Hoyte for the patch.

Applied a bunch of small internal cleanup patches by Kris Katterjohn
(katterjohn(a)gmail.com).

Fixed the 'distclean' make target to be more comprehensive. Thanks
to Thomas Buchanan (Thomas.Buchanan(a)thecompassgrp.net) for the
patch.

Nmap now provides progress statistics in the XML output in verbose
mode. Here are some examples of the format (etc is "estimated time
until completion) and times are in UNIX time_t (seconds since 1970) format.

Updated the Windows installer to give an option checkbox for
performing the Nmap performance registry changes. The default is to
do so. Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.

Applied several code cleanup patches from Marek Majkowski.

Added --release-memory option, which causes Nmap to release all
accessible memory buffers before quitting (rather than let the OS do
it). This is only useful for debugging memory leaks.

Fixed a bug related to bogus completion time estimates when you
request an estimate (through runtime interaction) right when Nmap is
starting a subsystem (such as a port scan or version detection).
Thanks to Diman Todorov for reporting the problem and Doug Hoyte for
writing a fix.

Nmap no longer gets random numbers from OpenSSL when it is available
because that turned out to be slower than Nmap's other methods
(e.g. /dev/urandom on Linux, /dev/arandom on OpenBSD, etc.). Thanks
to Marek Majkowski for reporting the problem.

Updated the Windows binary distributions (self-installer and .zip)
to include the new 2nd generation OS detection DB (nmap-os-db).
Thanks to Sina Bahram for reporting the problem.

Fixed the --max-retries option, which wasn't being honored. Thanks
to Jon Passki (jon.passki(a)hursk.com) for the patch.

Fixed the English translation of TCP sequence difficulty reported by
Brandon Enright, and also removed fingerprint printing for 1st
generation fingerprints (I don't really want to deal with those
anymore). Thanks to Zhao Lei for writing this patch.

Fix a problem which caused OS detection to be done in some cases
even if the user didn't request it. Thanks to Diman Todorov for the
fix.

Fixed the Nmap Makefile (actually Makefile.in) to correctly handle
include file dependencies. So if a .h file is changed, all of the
.cc files which depend on it will be recompiled. Thanks to Diman
Todorov (diman(a)xover.mud.at) for the patch.

Fixed a compilation problem on solaris and possibly other platforms.
The error message looked like "No rule to make target `inet_aton.o',
needed by `libnbase.a'". Thanks to Matt Selsky
(selsky(a)columbia.edu) for the patch.

Applied a patch which helps with HP-UX compilation by linking in the
nm library (-lnm). Thanks to Zakharov Mikhail
(zmey20000(a)yahoo.com) for the patch.

Added version detection probes for detecting the Nessus daemon.
Thanks to Adam Vartanian (flooey(a)gmail.com) for sending the patch.

Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt) as of May 31, 2006.
Also added a couple unregistered OUI's (for QEMU and Bochs)
suggested by Robert Millan (rmh(a)aybabtu.com).

Fixed a bug which could cause false "open" ports when doing a UDP
scan of localhost. This usually only happened when you scan tens of
thousands of ports (e.g. -p- option).

Fixed a bug in service detection which could lead to a crash when
"--version-intensity 0" was used with a UDP scan. Thanks to Makoto
Shiotsuki (shio(a)st.rim.or.jp) for reporting the problem and Doug
Hoyte for producing a patch.

Made some AIX and HP-UX portability fixes to Libdnet and NmapFE.
These were sent in by Peter O'Gorman
(nmap-dev(a)mlists.thewrittenword.com).

When you do a UDP+TCP scan, the TCP ports are now shown first (in
numerical order), followed by the UDP ports (also in order). This
contrasts with the old format which showed all ports together in
numerical order, regardless of protocol. This was at first a "bug",
but then I started thinking this behavior may be better. If you
have a preference for one format or the other, please post your
reasons to nmap-dev.

Changed mass_dns system to print a warning if it can't find any
available DNS servers, but not quit like it used to. Thanks to Doug
Hoyte for the patch.

Integrated all of your submissions (about a thousand) from the first
quarter of this year! Please keep 'em coming! The DB has increased
from 3,153 signatures representing 381 protocols in 4.03 to 3,441
signatures representing 401 protocols. No other tool comes close!
Many of the already existing match lines were improved too. Thanks
to Version Detection Czar Doug Hoyte for doing this.

Nmap now allows multiple ignored port states. If a 65K-port scan
had, 64K filtered ports, 1K closed ports, and a few dozen open
ports, Nmap used to list the dozen open ones among a thousand lines
of closed ports. Now Nmap will give reports like "Not shown: 64330
filtered ports, 1000 closed ports" or "All 2051 scanned ports on
192.168.0.69 are closed (1051) or filtered (1000)", and omit all of
those ports from the table. Open ports are never ignored. XML
output can now have multiple <extraports> directive (one for each
ignored state). The number of ports in a single state before it is
consolidated defaults to 26 or more, though that number increases as
you add -v or -d options. With -d3 or higher, no ports will be
consolidated. The XML output should probably be augmented to give
the extraports directive 'ip', 'tcp', and 'udp' attributes which
specify the corresponding port numbers in the given state in the
same listing format as the nmaprun.scaninfo.services attribute, but
that part hasn't yet been implemented. If you absolutely need the
exact port numbers for each state in the XML, use -d3 for now.

Nmap now ignores certain ICMP error message rate limiting (rather
than slowing down to accommodate it) in cases such as SYN scan where
an ICMP message and no response mean the same thing (port filtered).
This is currently only done at timing level Aggressive (-T4) or
higher, though we may make it the default if we don't hear problems
with it. In addition, the --defeat-rst-ratelimit option has been
added, which causes Nmap not to slow down to accommodate RST rate
limits when encountered. For a SYN scan, this may cause closed
ports to be labeled 'filtered' because Nmap refused to slow down
enough to correspond to the rate limiting. Learn more about this
new option at https://nmap.org/book/man.html . Thanks to Martin
Macok (martin.macok(a)underground.cz) for writing the patch that
these changes were based on.

Moved my Nmap development environment to Visual C++ 2005 Express
edition. In typical "MS Upgrade Treadmill" fashion, Visual Studio
2003 users will no longer be able to compile Nmap using the new
solution files. The compilation, installation, and execution
instructions at https://nmap.org/book/inst-windows.html have been
upgraded.

Automated my Windows build system so that I just have to type a
single make command in the mswin32 directory. Thanks to Scott
Worley (smw(a)pobox.com>, Shane & Jenny Walters
(yfisaqt(a)waltersinamerica.com), and Alex Prinsier
(aphexer(a)mailhaven.com) for reading my appeal in the 4.03
CHANGELOG and assisting.

Changed the PortList class to use much more efficient data
structures and algorithms which take advantage of Nmap-specific
behavior patterns. Thanks to Marek Majkowski
(majek(a)forest.one.pl) for the patch.

Fixed a bug which prevented certain TCP+UDP scan commands, such as
"nmap -sSU -p1-65535 localhost" from scanning both TCP and UDP.
Instead they gave the error message "WARNING: UDP scan was requested,
but no udp ports were specified. Skipping this scan type". Thanks to
Doug Hoyte for the patch.

Nmap has traditionally required you to specify -T* timing options
before any more granular options like --max-rtt-timeout, otherwise the
general timing option would overwrite the value from your more
specific request. This has now been fixed so that the more specific
options always have precedence. Thanks to Doug Hoyte for this patch.

Nmap now prints a warning when you specify a target name which
resolves to multiple IP addresses. Nmap proceeds to scan only the
first of those addresses (as it always has done). Thanks to Doug
Hoyte for the patch. The warning looks like this:
Warning: Hostname google.com resolves to 3 IPs. Using 66.102.7.99.

Disallow --host-timeout values of less than 1500ms, print a warning
for values less than 15s.

Changed all instances of inet_aton() into calls to inet_pton()
instead. This allowed us to remove inet_aton.c from nbase. Thanks to
KX (kxmail(a)gmail.com) for the patch.

When debugging (-d) is specified, Nmap now prints a report on the
timing variables in use. Thanks to Doug Hoyte for the patch. The
report loos like this:

Modified the WinPcap installer file to explicitly uninstall an
existing WinPcap (if you select that you wish to replace it) rather
than just overwriting the old version. Thanks to Doug Hoyte for
making this change.

Added some P2P application ports to the nmap-services file. Thanks
to Martin Macok for the patch.

The write buffer length increased in 4.03 was increased even further
when the debugging or verbosity levels are more than 2 (e.g. -d3).
Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for the patch. The
goal is to prevent you from ever seeing the fatal error:
"log_vwrite: write buffer not large enough -- need to increase"

Added a note to the Nmap configure dragon that people sick of him
can submit their own ASCII art to dev@nmap.org . If you
are wondering WTF I am talking about, it is probably because only
most elite Nmap users -- the ones who compile from source on UNIX --
get to see the 'l33t ASCII Art.

Updated the LibPCRE build system to add the -fno-thread-jumps option
to gcc when compiling on the new Intel-based Apple Mac OS X systems.
Hopefully this resolves the version detection crashes that several
people have reported on such systems. Thanks to Kurt Grutzmacher
(grutz(a)jingojango.net) for sending the configure.ac patch.

Made some portability fixes to keep Nmap compiling with the newest
Visual Studio 2005. Thanks to KX (kxmail(a)gmail.com) for
suggesting them.

Service fingerprints are now provided in the XML output whenever
they would appear in the interactive output (i.e. when a service
response with data but is unrecognized). They are shown in a new
'servicefp' attribute to the 'service' tag. Thanks to Brandon Enright
(bmenrigh(a)ucsd.edu) for sending the patch.

Improved the Windows build system -- mswin32/Makefile now takes care
of packaging Nmap and creating the installers once Visual Studio (GUI)
is done building the Release version of mswin32/nmap.sln. If someone
knows how to do this (build) step on the command line (using the
Makefile), please let me know. Or if you know how to at least make
'Release' (rather than Debug) the default configuration, that would be
valuable.

WinPcap 3.1 binaries are now shipped in the Nmap tarball, along with
a customized installer written by Doug Hoyte. That new WinPcap
installer is now used by the Nmap self-installer (if you request
WinPcap installation). Some Nmap users were uncomfortable with a
"phone home" feature of the official WinPcap installer. It connects
back to CACE Technologies, ostensibly to display news and (more
recently) advertisements. Our new installer omits that feature, but
should be otherwise perfectly compatible with WinPcap 3.1.

Fixed a rare crash bug thanks to a report and patch from Ganga
Bhavani (GBhavani(a)everdreamcorp.com)

Increased a write buffer length to keep Nmap from quitting with the
message "log_vwrite: write buffer not large enough -- need to
increase". Thanks to Dave (dmarcher(a)pobox.com) for reporting the
issue.

Updated to a newer XSL stylesheet (for XML to HTML output
transformation) by Benjamin Erb. This new version includes IP
address sorting, removal of javascript requirements, some new
address, hostname, and Nmap version information, and various minor
tweaks and fixes.

Cleaned up the Amiga port code to use atexit() rather than the
previous macro hack. Thanks to Kris Katterjohn (katterjohn(a)gmail.com)
for the patch. Applied maybe half a dozen new other code cleanup
patches from him as well.

Made some changes to various Nmap initialization functions which
help ALT Linux (altlinux.org) and Owl (openwall.com) developers run
Nmap in a chroot environment. Thanks to Dmitry V. Levin
(ldv(a)altlinux.org) for the patch.

Cleaned up the code a bit by making a bunch (nearly 100) global
symbols (mostly function calls) static. I was also able to removed
some unused functions and superfluous config.h.in defines. Thanks
to Dmitry V. Levin (ldv(a)altlinux.org) for sending a list of
candidate symbols.

Nmap now tests for the existence of data files using stat(2) rather
than testing whether they can be opened for reading (with fopen).
This is because some device files (tape drives, etc.) may react badly
to being opened at all. Thanks to Dmitry V. Levin
(ldv(a)altlinux.org) for the suggestion.

Changed Nmap to cache interface information rather than opening and
closing it (with dnet's eth_open and eth_close functions) all the
time.

Added the --log-errors option, which causes most warnings and error
messages that are printed to interactive-mode output (stdout/stderr)
to also be printed to the normal-format output file (if you
specified one). This will not work for most errors related to bad
command-line arguments, as Nmap may not have initialized its output
files yet. In addition, some Nmap error/warning messages use a
different system that does not yet support this option.

Rewrote much of the Nmap results output functions to be more
efficient and support --log-errors.

Fixed a flaw in the scan engine which could (in rare cases)
lead to a deadlock situation that prevents a scan from completing.
Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for reporting
and helping to debug the problem.

If the pcap_open_live() call (initiates sniffing) fails, Nmap now
tries up to two more times after waiting a little while. This is
attempt to work around a rare bug on Windows in which the
pcap_open_live() fails for unknown reasons.

Fixed a flaw in the runtime interaction in which Nmap would include
hosts currently being scanned in the number of hosts "completed"
statistic.

Fixed a crash in OS scan which could occur on Windows when a DHCP
lease issue causes the system to lose its IP address. Nmap still
quits, but at least it gives a proper error message now. Thanks to
Ganga Bhavani (GBhavani(a)everdreamcorp.com) for the patch.

Applied more than half a dozen small code cleanup patches from
Kris Katterjohn (katterjohn(a)gmail.com).

Modified the configure script to accept CXX when specified as an
absolute path rather than just the executable name. Thanks to
Daniel Roethlisberger (daniel(a)roe.ch) for this patch.

Fixed a bug that would cause bogus reverse-DNS resolution on
big-endian machines. Thanks to Doug Hoyte, Seth Miller, Tony Doan,
and Andrew Lutomirsky for helping to debug and patch the problem.

Fixed an important memory leak in the raw ethernet sending system.
Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for
identifying the bug and sending a patch.

Fixed --system-dns option so that --system_dns works too. Error
messages were changed to reflect the former (preferred) name.
Thanks to Sean Swift (sean.swift(a)bradford.gov.uk) and Peter
VanEeckhoutte (Peter.VanEeckhoutte(a)saraleefoodseurope.com) for
reporting the problem.

Whenever Nmap sends packets with the SYN bit set (except for OS
detection), it now includes the maximum segment size (MSS) tcp
option with a value of 1460. This makes it stand out less as almost
all hosts set at least this option. Thanks to Juergen Schmidt
(ju(a)heisec.de) for the suggestion.

Applied a patch for a Windows interface reading bug in the aDNS
subsystem from Doug Hoyte.

Changed a couple lines of tcpip.cc (put certain IP header fields in
host byte order rather than NBO) to (hopefully) support Mac OS X on
Intel. Thanks to Kurt Grutzmacher (grutz(a)jingojango.net) for the
patch.

Upgraded the included LibPCRE from version 6.3 to 6.4. There was a
report of version detection crashes on the new Intel-based MACs with
6.3.

Fixed an issue in which the installer would malfunction in rare
issues when installing to a directory with spaces in it. Thanks to
Thierry Zoller (Thierry(a)Zoller.lu) for the report.

Integrated all remaining 2005 service submissions. The DB now has
surpassed 3,000 signatures for the first time. There now are 3,153
signatures for 381 service protocols. Those protocols span the
gamut from abc, acap, afp, and afs to zebedee, zebra, and
zenimaging. It even covers obscure protocols such as http, ftp,
smtp, and ssh :). Thanks to Version Detection Czar Doug Hoyte for
his excellent work on this.

Added run time interaction as documented at
https://nmap.org/book/man-runtime-interaction.html .
While Nmap is running, you can now press 'v' to increase verbosity,
'd' to increase the debugging level, 'p' to enable packet tracing,
or the capital versions (V,D,P) to do the opposite. Any other key
(such as enter) will print out a status message giving the estimated
time until scan completion. This only works on UNIX for now. Do we
have any volunteers to add Windows support? You would need to
change a handful of UNIX-specific termio calls with the Windows
equivalents. This feature was created by Paul Tarjan
(ptarjan(a)stanford.edu) as part of the Google Summer of Code.

Reverse DNS resolution is now done in parallel rather than one at a
time. All scans of large networks (particularly list, ping and
just-a-few-ports scans) should benefit substantially from this
change. If you encounter any problems, please let us know. The new
--system_dns option was added so you can use the (slow) system
resolver if you prefer that for some reason. You can specify a
comma separated list of DNS server IP addresses for Nmap to use with
the new --dns_servers option. Otherwise, Nmap looks in
/etc/resolve.conf (UNIX) or the system registry (Windows) to obtain
the nameservers already configured for your system. This excellent
patch was written by Doug Hoyte (doug(a)hcsw.org).

Added the --badsum option, which causes Nmap to use invalid TCP or
UDP checksums for packets sent to target hosts. Since virtually all
host IP stacks properly drop these packets, any responses received
are likely coming from a firewall or IDS that didn't bother to
verify the checksum. For more details on this technique, see
http://www.phrack.org/phrack/60/p60-0x0c.txt . The author of that
paper, Ed3f (ed3f(a)antifork.org), is also the author of this patch
(which I changed it a bit).

The 26 Nmap commands that previously included an underscore
(--max_rtt_timeout, --send_eth, --host_timeout, etc.) have been
renamed to use a hyphen in the preferred format
(i.e. --max-rtt-timeout). Underscores are still supported for
backward compatibility.

More excellent NmapFE patches from Priit Laes (amd(a)store20.com)
were applied to remove all deprecated GTK API calls. This also
eliminates the annoying Gtk-Critical and Gtk-WARNING runtime messages.

Changed the way the __attribute__ compiler extension is detected so
that it works with the latest Fedora Core 4 updates (and perhaps other
systems). Thanks to Duilio Protti (dprotti(a)fceia.unr.edu.ar) for
writing the patch. The compilation error message this fixes was
usually something like: "nmap.o(.rodata+0x17c): undefined reference
to `__gthrw_pthread_cancel(unsigned long)"

Added some exception handling code to mswin32/winfix.cc to prevent
Nmap from crashing mysteriously when you have WinPcap 3.0 or earlier
(instead of the required 3.1). It now prints an error message instead
asking you to upgrade, then reduces functionality to connect()-only
mode. I couldn't get it working with the C++ standard try/catch()
blocks, but as soon as I used the nonstandard MS conventions
(__try/__except(), everything worked fine. Shrug.

Stripped the firewall API out of the libdnet included with Nmap
because Nmap doesn't use it anyway. This saves space and reduces the
likelihood of compilation errors and warnings.

Modified the previously useless --noninteractive option so that it
deactivates runtime interaction.

Added --max_retries option for capping the maximum number of
retransmissions the port scan engine will do. The value may be as low
as 0 (no retransmits). A low value can increase speed, though at the
risk of losing accuracy. The -T4 option now allows up to 6 retries,
and -T5 allows 2. Thanks to Martin Macok
(martin.macok(a)underground.cz) for writing the initial patch, which I
changed quite a bit. I also updated the docs to reflect this neat
new option.

Many of the Nmap low-level timing options take a value in
milliseconds. You can now append an 's', 'm', or 'h' to the value
to give it in seconds, minutes, or hours instead. So you can specify a
45 minute host timeout with --host_timeout 45m rather than specifying
--host_timeout 2700000 and hoping you did the math right and have the
correct number of zeros. This also now works for the
--min_rtt_timeout, --max_rtt_timeout, --initial_rtt_timeout,
--scan_delay, and --max_scan_delay options.

Improved the NmapFE port to GTK2 so it better-conforms to the new
API and you don't get as many annoying messages in your terminal
window. GTK2 is prettier and more functional too. Thanks to Priit
Laes (amd(a)store20.com) for writing these
excellent patches.

Fixed a problem which led to the error message "Failed to determine
dst MAC address for target" when you try to run Nmap using a
dialup/PPP adapter on Windows rather than a real ethernet card. Due
to Microsoft breaking raw sockets, Nmap no longer supports dialup
adapters, but it should now give you a clearer error message than
the "dst MAC address" nonsense.

Debian GNU/kFreeBSD is now supported thanks to a patch to libdnet's
configure.in by Petr Salinger (Petr.Salinger(a)t-systems.cz).

Tried to update to the latest autoconf only to find that there
hasn't been a new version in more than two years :(. I was able to
find new config.sub and config.guess files at
http://cvs.savannah.gnu.org/viewcvs/config/config/ , so I updated to
those.

Fixed a problem with the -e option when run on Windows (or UNIX with
--send_eth) when run on an ethernet network against an external
(routed) host. You would get the message "NmapArpCache() can only
take IPv4 addresses. Sorry". Thanks to KX (kxmail(a)gmail.com) for
helping to track down the problem.

Made some changes to allow source port zero scans (-g0). Nmap used
to refuse to do this, but now it just gives a warning that it may not
work on all systems. It seems to work fine on my Linux box. Thanks
to Bill Dale (bill_dale(a)bellsouth.net) for suggesting this feature.

Made a change to libdnet so that Windows interfaces are listed as
down if they are disconnected, unplugged, or otherwise unavailable.

Included docs/nmap-man.xml in the tarball distribution, which is the
DocBook XML source for the Nmap man page. Patches to Nmap that are
user-visible should include patches to the man page XML source rather
than to the generated Nroff.

Fixed Nmap so it doesn't crash when you ask it to resume a previous
scan, but pass in a bogus file rather than actual Nmap output. Thanks
to Piotr Sobolewski (piotr_sobolewski(a)o2.pl) for the fix.

Updated NmapFE to build with GTK2 rather than obsolete GTK1. Thanks
to Mike Basinger (dbasinge(a)speakeasy.net) and Meethune Bhowmick
(meethune(a)oss-institute.org) for developing the
patch. I made some changes as well to prevent compilation warnings.
The new NmapFE now seems to work, though I do get "Gtk-CRITICAL"
assertion error messages. If someone has time to look into this, that
would be appreciated.

Fixed a compilation problem on Mac OS X and perhaps other platforms
with a one-line fix to scan_engine.cc. Thanks to Felix Gröbert
(felix(a)groebert.org) for notifying me of the problem.

Fixed a problem that prevented the command "nmap -sT -PT [targets]"
from working from a non-privileged user account. The -PT option
doesn't change default behavior in this case, but Nmap should (and now
does) allow it.

Define INET_ADDRSTRLEN in tcpip.h if the system doesn't define it
for us. This apparently aids compilation on Solaris 2.6 and 7.
Thanks to Albert Chin (nmap-hackers(a)mlists.thewrittenword.com) for
sending the patch..

Put Nmap on a diet, with changes to the core port scanning routine
(ultra_scan) to substantially reduce memory consumption, particularly
when tens of thousands of ports are scanned.

Fixed a problem with the -S and option on Windows reporting "Failed
to resolve/decode supposed IPv4 source address". The -D (decoy)
option was probably broken on that platform too. Thanks to KX
(kxmail(a)gmail.com) for reporting the problem and tracking down a
potential solution.

Better handle ICMP type 3, code 0 (network unreachable) responses to
port scan packets. These are rarely seen when scanning hosts that
are actually online, but are still worth handling.

Modified libdnet-stripped/src/eth-bsd.c to allow for up to 128 bpf
devices rather than 32. This prevents errors like "Failed to open
ethernet interface (fxp0)" when there are more than 32 interface
aliases. Thanks to Krok (krok(a)void.ru) for reporting the problem
and even sending a patch.

Wrote a new man page from scratch. It is much more comprehensive
(more than twice as long) and (IMHO) better organized than the
previous one. Read it online at https://nmap.org/book/man.html
or docs/nmap.1 from the Nmap distribution. Let me know if you have
any ideas for improving it.

Wrote a new "help screen", which you get when running Nmap without
arguments. It is also reproduced in the man page and at
https://svn.nmap.org/nmap/docs/nmap.usage.txt . I gave up trying
to fit it within a 25-line, 80-column terminal window. It is now 78
lines and summarizes all but the most obscure Nmap options.

Version detection softmatches (when Nmap determines the service
protocol such as smtp but isn't able to determine the app name such as
Postfix) can now parse out the normal match line fields such as
hostname, device type, and extra info. For example, we may not know
what vendor created an sshd, but we can still parse out the protocol
number. This was a patch from Doug Hoyte (doug(a)hcsw.org).

Fixed a problem which caused UDP version scanning to fail to print
the matched service. Thanks to Martin Macok
(martin.macok(a)underground.cz) for reporting the problem and Doug
Hoyte (doug(a)hcsw.org) for fixing it.

Made the version detection "ports" directive (in
nmap-service-probes) more comprehensive. This should speed up scans a
bit. The patch was done by Doug Hoyte (doug(a)hcsw.org).

Fixed a crash occurred when the --exclude option was used with
netmasks on certain platforms. Thanks to Adam
(nmapuser(a)globalmegahost.com) for reporting the problem and to
Greg Darke (starstuff(a)optusnet.com.au) for sending a patch (I
modified the patch a bit to make it more efficient).

Fixed a problem with the -S and -e options (spoof/set
source address, and set interface by name, respectively). The problem
report and a partial patch were sent by Richard Birkett
(richard(a)musicbox.net).

Fixed a possible aliasing problem in tcpip.cc by applying a patch sent in by
Gwenole Beauchesne (gbeauchesne(a)mandriva.com). This problem
shouldn't have had any effect on users since we already include the
-fno-strict-aliasing option whenever gcc 4 is detected, but it
brings us closer to being able to remove that option.

Fixed a bug that caused Nmap to crash if an nmap-service-probes file
was used which didn't contain the Exclude directive.

Fixed a bunch of typos and misspellings throughout the Nmap source
code (mostly in comments). This was a 625-line patch by Saint Xavier
(skyxav(a)skynet.be).

Nmap now accepts target list files in Windows end-of-line format (\r\n)
as well as standard UNIX format (\n) on all platforms. Passing a
Windows style file to Nmap on UNIX didn't work before unless you ran
dos2unix first.

Removed Identd scan support from NmapFE since Nmap no longer
supports it. Thanks to Jonathan Dieter (jdieter99(a)gmx.net) for the
patch.

Integrated all of the September version detection fingerprint
submissions. This was done by Version Detection Czar Doug Hoyte
(doug(a)hcsw.org) and resulted in 86 new match lines. Please keep
those submissions coming!

Fixed a divide-by-zero crash when you specify rather bogus
command-line arguments (a TCP scan with zero tcp ports). Thanks to
Bart Dopheide (dopheide(a)fmf.nl) for identifying the problem and
sending a patch.

Fixed a minor syntax error in tcpip.h that was causing problems with
GCC 4.1. Thanks to Dirk Mueller (dmuell(a)gmx.net) for reporting
the problem and sending a fix.

Modified Libpcap's configure.ac to compile with the
-fno-strict-aliasing option if gcc 4.X is used. This prevents
crashes when said compiler is used. This was done for Nmap in 3.90, but is
apparently needed for pcap too. Thanks to Craig Humphrey
(Craig.Humphrey(a)chapmantripp.com) for the discovery.

Patched libdnet to include sys/uio.h in src/tun-linux.c. This is
apparently necessary on some Glibc 2.1 systems. Thanks to Rob Foehl
(rwf(a)loonybin.net) for the patch.

Fixed a crash which could occur when a ridiculously short
--host_timeout was specified on Windows (or on UNIX if --send_eth was
specified). Nmap now also prints a warning if you specify a
host_timeout of less than 1 second. Thanks to Ole Morten Grodaas
(grodaas(a)gmail.com) for discovering the problem.

Fixed a crash on Windows when you -P0 scan an unused IP on a local
network (or a range that contains unused IPs). This could also
happen on UNIX if you specified the new --send_eth option. Thanks
to Jim Carras (JFCECL(a)engr.psu.edu) for reporting the problem.

Fixed compilation on OpenBSD by applying a patch from Okan Demirmen
(okan(a)demirmen.com), who maintains Nmap in the OpenBSD Ports
collection.

Updated nmap-mac-prefixes to include OUIs assigned by the IEEE since
April.

Updated the included libpcre (used for version detection) from
version 4.3 to 6.3. A libpcre security issue was fixed in 6.3, but
that issue never affected Nmap.

Updated the included libpcap from 0.8.3 to 0.9.3. I also changed
the directory name in the Nmap tarball from libpcap-possiblymodified
to just libpcap. As usual, the modifications are described in the
NMAP_MODIFICATIONS in that directory.

Added the ability for Nmap to send and properly route raw ethernet
packets containing IP datagrams rather than always sending the
packets via raw sockets. This is particularly useful for Windows,
since Microsoft has disabled raw socket support in XP for no good
reason. Nmap tries to choose the best method at runtime based on
platform, though you can override it with the new --send_eth and
--send_ip options.

Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to
determine whether hosts on a LAN are up, rather than relying on
higher-level IP packets (which can only be sent after a successful
ARP request and reply anyway). This is much faster and more
reliable (not subject to IP-level firewalling) than IP-based probes.
The downside is that it only works when the target machine is on the
same LAN as the scanning machine. It is now used automatically for
any hosts that are detected to be on a local ethernet network,
unless --send_ip was specified. Example usage: nmap -sP -PR
192.168.0.0/16 .

Added the --spoof_mac option, which asks Nmap to use the given MAC
address for all of the raw ethernet frames it sends. The MAC given
can take several formats. If it is simply the string "0", Nmap
chooses a completely random MAC for the session. If the given
string is an even number of hex digits (with the pairs optionally
separated by a colon), Nmap will use those as the MAC. If less than
12 hex digits are provided, Nmap fills in the remainder of the 6
bytes with random values. If the argument isn't a 0 or hex string,
Nmap looks through the nmap-mac-prefixes to find a vendor name
containing the given string (it is case insensitive). If a match is
found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
remaining 3 bytes randomly. Valid --spoof_mac argument examples are
"Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
"Cisco".

Applied an enormous nmap-service-probes (version detection) update
from SoC student Doug Hoyte (doug(a)hcsw.org). Version 3.81 had
1064 match lines covering 195 service protocols. Now we have 2865
match lines covering 359 protocols! So the database size has nearly
tripled! This should make your -sV scans quicker and more
accurate. Thanks also go to the (literally) thousands of you who
submitted service fingerprints. Keep them coming!

Added 'leet ASCII art to the configurator! ARTIST NOTE: If you think
the ASCII art sucks, feel free to send me alternatives. Note that
only people compiling the UNIX source code get this (ASCII artist
unknown).

Added OS, device type, and hostname detection using the service
detection framework. Many services print a hostname, which may be
different than DNS. The services often give more away as well. If
Nmap detects IIS, it reports an OS family of "Windows". If it sees
HP JetDirect telnetd, it reports a device type of "printer". Rather
than try to combine TCP/IP stack fingerprinting and service OS
fingerprinting, they are both printed. After all, they could
legitimately be different. An IP that gives a stack fingerprint
match of "Linksys WRT54G broadband router" and a service fingerprint
of Windows based on Kazaa running is likely a common NAT setup rather
than an Nmap mistake.

Nmap on Windows now compiles/links with the new WinPcap 3.1
header/lib files. So please upgrade to 3.1 from
http://www.winpcap.org before installing this version of Nmap.
While older versions may still work, they aren't supported with Nmap.

The official Nmap RPM files are now compiled statically for better
compatibility with other systems. X86_64 (AMD Athlon64/Opteron)
binaries are now available in addition to the standard i386. NmapFE
RPMs are no longer distributed by Insecure.Org.

Nmap distribution signing has changed. Release files are now signed
with a new Nmap Project GPG key (KeyID 6B9355D0). Fyodor has also
generated a new key for himself (KeyID 33599B5F). The Nmap key has
been signed by Fyodor's new key, which has been signed by Fyodor's
old key so that you know they are legit. The new keys are available
at https://svn.nmap.org/nmap/docs/nmap_gpgkeys.txt , as
docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public
keyserver network. Here are the fingerprints:

Fixed a crash problem related to non-portable varargs (vsnprintf)
usage. Reports of this crash came from Alan William Somers
(somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
This patch was prevalent on Linux boxes running an Opteron/Athlon64
CPU in 64-bit mode.

Fixed crash when Nmap is compiled using gcc 4.X by adding the
-fno-strict-aliasing option when that compiler is detected. Thanks
to Greg Darke (starstuff(a)optusnet.com.au) for discovering that
this option fixes (hides) the problem and to Duilio J. Protti
(dprotti(a)flowgate.net) for writing the configure patch to detect
gcc 4 and add the option. A better fix is to identify and rewrite
lines that violate C99 alias rules, and we are looking into that.

Added "rarity" feature to Nmap version detection. This causes
obscure probes to be skipped when they are unlikely to help. Each
probe now has a "rarity" value. Probes that detect dozens of
services such as GenericLines and GetRequest have rarity values of
1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
When interrogating a port, Nmap always tries probes registered to
that port number. So even WWWOFFLEctrlstat will be tried against
port 8081 and mydoom will be tried against open ports between 3127
and 3198. If none of the registered ports find a match, Nmap tries
probes that have a rarity less than or equal to its current
intensity level. The intensity level defaults to 7 (so that most of
the probes are done). You can set the intensity level with the new
--version_intensity option. Alternatively, you can just use
--version_light or --version_all which set the intensity to 2 (only
try the most important probes and ones registered to the port
number) and 9 (try all probes), respectively. --version_light is
much faster than default version detection, but also a bit less
likely to find a match. This feature was designed and implemented
by Doug Hoyte (doug(a)hcsw.org).

Added a "fallback" feature to the nmap-service-probes database.
This allows a probe to "inherit" match lines from other probes. It
is currently only used for the HTTPOptions, RTSPRequest, and
SSLSessionReq probes to inherit all of the match lines from
GetRequest. Some servers don't respond to the Nmap GetRequest (for
example because it doesn't include a Host: line) but they do respond
to some of those other 3 probes in ways that GetRequest match lines
are general enough to match. The fallback construct allows us to
benefit from these matches without repeating hundreds of signatures
in the file. This is another feature designed and implemented
by Doug Hoyte (doug(a)hcsw.org).

Fixed crash with certain --excludefile or
--exclude arguments. Thanks to Kurt Grutzmacher
(grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) for
reporting the problem, and to Duilio J. Protti
(dprotti(a)flowgate.net) for debugging the issue and sending the
patch.

Updated random scan (ip_is_reserved()) to reflect the latest IANA
assignments. This patch was sent in by Felix Groebert
(felix(a)groebert.org).

Included new Russian man page translation by
locco_bozi(a)Safe-mail.net

Applied patch from Steve Martin (smartin(a)stillsecure.com) which
standardizes many OS names and corrects typos in nmap-os-fingerprints.

Fixed a crash found during certain UDP version scans. The crash was
discovered and reported by Ron (iago(a)valhallalegends.com) and fixed
by Doug Hoyte (doug(a)hcsw.com).

Added --iflist argument which prints a list of system interfaces and
routes detected by Nmap.

Fixed an Nmap version detection crash on Windows which led to the
error message "Unexpected error in NSE_TYPE_READ callback. Error
code: 10053 (Unknown error)". Thanks to Srivatsan
(srivatsanp(a)adventnet.com) for reporting the problem.

Fixed some misspellings in docs/nmap.xml reported by Tom Sellers.

Applied some changes from Gisle Vanem (giva(a)bgnett.no) to make
Nmap compile with Cygwin.

XML "osmatch" element now has a "line" attribute giving the
reference fingerprint line number in nmap-os-fingerprints.

Added a distcc probes and a bunch of smtp matches from Dirk Mueller
(mueller(a)kde.org) to nmap-service-probes. Also added AFS version
probe and matches from Lionel Cons (lionel.cons(a)cern.ch). And
even more probes and matches from Martin Macok
(martin.macok(a)underground.cz)

Fixed a problem where Nmap compilation would use header files from
the libpcap included with Nmap even when it was linking to a system
libpcap. Thanks to Solar Designer (solar(a)openwall.com) and Okan
Demirmen (okan(a)demirmen.com) for reporting the problem.

Added configure option --with-libpcap=included to tell Nmap to use
the version of libpcap it ships with rather than any that may already be
installed on the system. You can still use --with-libpcap=[dir] to
specify that a system libpcap be installed rather than the shipped
one. By default, Nmap looks at both and decides which one is likely
to work best. If you are having problems on Solaris, try
--with-libpcap=included .

Changed the --no-stylesheet option to --no_stylesheet to be
consistent with all of the other Nmap options. Though I'm starting to
like hyphens a bit better than underscores and may change all of the
options to use hyphens instead at some point.

Added "Exclude" directive to nmap-service-probes grammar which
causes version detection to skip listed ports. This is helpful for
ports such as 9100. Some printers simply print any data sent to
that port, leading to pages of HTTP requests, SMB queries, X Windows
probes, etc. If you really want to scan all ports, specify
--allports. This patch came from Doug Hoyte (doug(a)hcsw.org).

Added a stripped-down and heavily modified version of Dug Song's
libdnet networking library (v. 1.10). This helps with the new raw
ethernet features. My (extensive) changes are described in
libdnet-stripped/NMAP_MODIFICATIONS

Removed WinIP library (and all Windows raw sockets code) since MS
has gone and broken raw sockets. Maybe packet receipt via raw
sockets will come back at some point. As part of this removal, the
Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
--win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
and --win_trace options have been removed.

Changed the interesting ports array from a 65K-member array of
pointers into an STL list. This noticeable reduces memory usage in
some cases, and should also give a slight runtime performance
boost. This patch was written by Paul Tarjan (ptarjan(a)gmail.com).

Removed the BSDFIX/BSDUFIX macros. The underlying bug in
FreeBSD/NetBSD is still there though. When an IP packet is sent
through a raw socket, these platforms require the total length and
fragmentation offset fields of an IP packet to be in host byte order
rather than network byte order, even though all the other fields
must be in NBO. I believe that OpenBSD fixed this a while back.
Other platforms, such as Linux, Solaris, Mac OS X, and Windows take
all of the fields in network byte order. While I removed the macro,
I still do the munging where required so that Nmap still works on
FreeBSD.

Added some new RPC services to nmap-rpc thanks to a patch from
vlad902 (vlad902(a)gmail.com).

Fixed a bug where Nmap would quit on Windows whenever it encountered
a raw scan of localhost (including the local ethernet interface
address), even when that was just one address out of a whole network
being scanned. Now Nmap just warns that it is skipping raw scans when
it encounters the local IP, but continues on to scan the rest of the
network. Raw scans do not currently work against local IP addresses
because WinPcap doesn't support reading/writing localhost interfaces
due to limitations of Windows.

The OS fingerprint is now provided in XML output if debugging is
enabled (-d) or verbosity is at least 2 (-v -v). This patch was
sent by Okan Demirmen (okan(a)demirmen.com)

Updated GNU shtool (a helper program used during 'make install' to
version 2.0.2, which fixes a predictable temporary filename
weakness discovered by Eric Raymond.

Removed addport element from XML DTD, since it is no longer used
(suggested by Lionel Cons (lionel.cons(a)cern.ch)

Added new --privileged command-line option and NMAP_PRIVILEGED
environmental variable. Either of these tell Nmap to assume that
the user has full privileges to execute raw packet scans, OS
detection and the like. This can be useful when Linux kernel
capabilities or other systems are used that allow non-root users to
perform raw packet or ethernet frame manipulation. Without this
flag or variable set, Nmap bails on UNIX if geteuid() is
nonzero.

Changed the RPM spec file so that if you define "static" to 1 (by
passing --define "static 1" to rpmbuild), static binaries are built.

ultra_scan() now sets pseudo-random ACK values (rather than 0) for
any TCP scans in which the initial probe packet has the ACK flag set.
This would be the ACK, Xmas, Maimon, and Window scans.

Updated the Nmap version number, description, and similar fields
that MS Visual Studio places in the binary. This was done by editing
mswin32/nmap.rc as suggested by Chris Paget (chrisp(a)ngssoftware.com)

Fixed Nmap compilation on DragonFly BSD (and perhaps some other
systems) by applying a short patch by Joerg Sonnenberger which omits
the declaration of errno if it is a #define.

Fixed an integer overflow that prevented Nmap from scanning
2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1). Problem
noted by Justin Cranford (jcranford(a)n-able.com). While /1 scans
are now possible, don't expect them to finish during your bathroom
break. No matter how constipated you are.

Increased the buffer size allocated for fingerprints to prevent Nmap
from running out and quitting (error message: "Assertion
`servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz
(mhatz(a)blackcat.com) for the report. (Actually this was done in a
previous version, but I forgot which one.)

Changed from CVS to Subversion source control system (which
rocks!). Neither repository is public (I'm paranoid because both CVS
and SVN have had remotely exploitable security holes), so the main
change users will see is that "Id" tags in file headers use the SVN
format for version numbering and such.

Nmap now ships with and installs (in the same directory as other
data files such as nmap-os-fingerprints) an XSL stylesheet for
rendering the XML output as HTML. This stylesheet was written by
Benjamin Erb ( see http://www.benjamin-erb.de/nmap/ for examples).
It supports tables, version detection, color-coded port states, and
more. The XML output has been augmented to include an
xml-stylesheet directive pointing to nmap.xsl on the local
file system. You can point to a different XSL file by providing the
filename or URL to the new --stylesheet argument. Omit the
xml-stylesheet directive entirely by specifying --no-stylesheet.
The XML to HTML conversion can be done with an XSLT processor such
as Saxon, Sablot, or Xalan, but modern browsers can do this on the
fly -- simply load the XML output file in IE or Firefox. Some
features don't currently work with Firefox's on-the-fly rendering.
Perhaps some Mozilla wizard can fix that in either the XSL or the
browser itself. I hate having things work better in IE :). It is
often more convenient to have the stylesheet loaded from a URL
rather than the local file system, allowing the XML to be rendered on
any machine regardless of whether/where the XSL is installed. For
privacy reasons (avoid loading of an external URL when you view
results), Nmap uses the local file system by default. If you would
like the latest version of the stylesheet loaded from the web when
rendering, specify --stylesheet https://svn.nmap.org/nmap/docs/nmap.xsl .

Fixed fragmentation option (-f). One -f now sets sends fragments
with just 8 bytes after the IP header, while -ff sends 16 bytes to
reduce the number of fragments needed. You can specify your own
fragmentation offset (must be a multiple of 8) with the new --mtu
flag. Don't also specify -f if you use --mtu. Remember that some
systems (such as Linux with connection tracking) will defragment in
the kernel anyway -- so test first while sniffing with ethereal.
These changes are from a patch by Martin Macok
(martin.macok(a)underground.cz).

Nmap now prints the number (and total bytes) of raw IP packets sent
and received when it completes, if verbose mode (-v) is enabled. The
report looks like:

Fixed (I hope) an error which would cause the Windows version of
Nmap to abort under some circumstances with the error message
"Unexpected error in NSE_TYPE_READ callback. Error code: 10053
(Unknown error)". Problem reported by "Tony Golding"
(biz(a)tonygolding.com).

Added new "closed|filtered" state. This is used for Idle scan, since
that scan method can't distinguish between those two states. Nmap
previously just used "closed", but this is more accurate.

Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered"
instead of "open" when they fail to receive any response from the
target port. After all, it could just as easily be filtered as open.
This is the same change that was made to UDP scan in 3.70. Also as
with UDP scan, adding version detection (-sV) will change the state
from open|filtered to open if it confirms that they really are open.

Fixed a bug in ACK scan that could cause Nmap to crash with the
message "Unexpected port state: 6" in some cases. Thanks to Glyn
Geoghegan (glyng(a)corsaire.com) for reporting the problem.

Change IP protocol scan (-sO) so that a response from the target
host in any protocol at all will prove that protocol is open. As
before, no response means "open|filtered", an ICMP protocol
unreachable means "closed", and most other ICMP error messages mean
"filtered".

Patched a libpcap issue that prevented read timeouts from being
honored on Solaris (thus slowing down Nmap substantially). The
problem report and patch were sent in by Ben Harris
(bjh21(a)cam.ac.uk).

Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and
UDP headers when scanning protocols 1, 6, and 17, respectively. An
empty IP header is still sent for all other protocols. This should
prevent the error messages such as "sendto in send_ip_packet:
sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not
permitted" that Linux (and perhaps other systems) would give when
they try to interpret the raw packet. This also makes it more
likely that these protocols will elicit a response, proving that the
protocol is "open".

The windows build now uses header and static library files from
WinPcap 3.1Beta4. It also now prints out the DLL version you are
using when run with -d. I would recommend upgrading to 3.1Beta4 if
you have an older WinPcap installed.

Nmap now prints a warning message on Windows if WinPcap is not found
(it then reverts to raw sockets mode if available, as usual).

Added an NTP probe and matches to the version detection database
(nmap-service-probes) thanks to a submission from Martin
Macok (martin.macok(a)underground.cz).

Applied several Nmap service detection database updates sent in by
Martin Macok (martin.macok(a)underground.cz).

The XML nmaprun element now has a startstr attribute which gives the
human readable calendar time format that a scan started. Similarly
the finished element now has a timestr attribute describing when the
scan finished. These are in addition to the existing nmaprun/start
and finished/time attributes that provided the start and finish time
in UNIX time_t notation. This should help in development of
XSLT stylesheets for Nmap XML output.

Fixed a memory leak that would generally consume several hundred
bytes per down host scanned. While the effect for most scans is
negligible, it was overwhelming when Scott Carlson
(Scott.Carlson(a)schwab.com) tried to scan 16.8 million IPs
(10.0.0.0/8). Thanks to him for reporting the problem. Also thanks
to Valgrind ( http://valgrind.kde.org ) for making it easy to debug.

Fixed a crash on Windows systems that don't include the iphlpapi
DLL. This affects Win95 and perhaps other variants. Thanks to Ganga
Bhavani (GBhavani(a)everdreamcorp.com) for reporting the problem and
sending the patch.

Ensured that the device type, os vendor, and os family OS
fingerprinting classification values are scrubbed for XML compliance
in the XML output. Thanks to Matthieu Verbert
(mve(a)zurich.ibm.com) for reporting the problem and sending a patch.

Rewrote the host IP (target specification) parser for easier
maintenance and to fix a bug found by Netris (netris(a)ok.kz)

Changed to Nmap XML DTD to use the same xmloutputversion (1.01) as
newer versions of Nmap. Thanks to Laurent Estieux
(laurent.estieux(a)free.fr) for reporting the problem.

Fixed compilation on some HP-UX 11 boxes thanks to a patch by Petter
Reinholdtsen (pere(a)hungry.com).

Fixed a portability problem on some OpenBSD and FreeBSD machines
thanks to a patch by Okan Demirmen (okan(a)demirmen.com).

Implemented a huge OS fingerprint database update. The number of
fingerprints increased more than 20% to 1,353 and many of the
existing ones are much improved. Notable updates include the fourth
edition of Bell Lab's Plan9, Grandstream's BugeTone 101 IP Phone,
and Bart's Network Boot Disk 2.7 (which runs MS-DOS). Oh, and Linux
kernels up to 2.6.8, dozens of new Windows fingerprints including XP
SP2, the latest Longhorn warez, and many modified Xboxes, OpenBSD
3.6, NetBSD up to 2.0RC4, Apple's AirPort Express WAP and OS X
10.3.3 (Panther) release, Novell Netware 6.5, FreeBSD 5.3-BETA, a
bunch of Linksys and D-Link consumer junk, the latest Cisco IOS 12.2
releases, a ton of miscellaneous broadband routers and printers, and
much more.

Updated nmap-mac-prefixes with the latest OUIs from the IEEE.

Updated nmap-protocols with the latest IP protocols from IANA

Added a few new Nmap version detection signatures thanks to a patch
from Martin Macok (martin.macok(a)underground.cz).

Fixed a crash problem in the Windows version of Nmap, thanks to a
patch from Ganga Bhavani GBhavani(a)everdreamcorp.com).

Fixed Windows service scan crashes that occur with the error message
"Unexpected nsock_loop error. Error code 10022 (Unknown error)". It
turns out that Windows does not allow select() calls with all three
FD sets empty. Lame. The Linux select() man page even suggests
calling "select with all three sets empty, n zero, and a non-null
timeout as a fairly portable way to sleep with subsecond precision."
Thanks to Gisle Vanem (giva(a)bgnett.no) for debugging help.

Added --max_scan_delay parameter. Nmap will sometimes increase the
delay itself when it detects many dropped packets. For example,
Solaris systems tend to respond with only one ICMP port unreachable
packet per second during a UDP scan. So Nmap will try to detect
this and lower its rate of UDP probes to one per second. This can
provide more accurate results while reducing network congestion, but
it can slow the scans down substantially. By default (with no -T
options specified), Nmap allows this delay to grow to one second per
probe. This option allows you to set a lower or higher maximum.
The -T4 and -T5 scan modes now limit the maximum scan delay for TCP
scans to 10 and 5 ms, respectively.

Fixed a bug that prevented RPC scan (-sR) from working for UDP ports
unless service detection (-sV) was used. -sV is still usually a
better approach than -sR, as the latter ONLY handles RPC. Thanks to
Stephen Bishop (sbishop(a)idsec.co.uk) for reporting the problem and
sending a patch.

Fixed nmap_fetchfile() to better find custom versions of data files
such as nmap-services. Note that the implicitly read directory
should be ~/.nmap rather than ~/nmap . So you may have to move any
customized files you now have in ~/nmap . Thanks to nnposter
(nnposter(a)users.sourceforge.net) for reporting the problem and
sending a patch.

Changed XML output so that the MAC address <address> element comes
right after the IPv4/IPv6 <address> element. Apparently this is
needed to comply with the DTD ( https://svn.nmap.org/nmap/docs/nmap.dtd ).
Thanks to Adam Morgan (adam.morgan(a)Q1Labs.com) and Florian Ebner
(Florian.Ebner(a)e-bros.de) for the problem reports.

Fixed a timing problem in which a specified large --send_delay would
sometimes be reduced to 1 second during a scan. Thanks to Martin
Macok (martin.macok(a)underground.cz) for reporting the problem.

Fixed a timing problem with sneaky and paranoid modes (-T1 and -T0)
which would cause Nmap to continually scan the same port and never
hit other ports when scanning certain firewalled hosts. Thanks to
Curtis Doty (Curtis(a)GreenKey.net) for reporting the problem.

Fixed a bug in the build system that caused most Nmap subdirectories
to be configured twice. Changing the variable holding the name of
subdirs from $subdirs to $nmap_cfg_subdirs resolved the problem --
configure must have been using that variable name for its own internal
operations. Anyway, this should reduce compile time significantly.

Made a trivial change to nsock/src/nsock_event.c to work around a "a
bug in GCC 3.3.1 on FreeBSD/sparc64". I found the patch by digging
around the FreeBSD ports tree repository. It would be nice if the
FreeBSD Nmap port maintainers would report such things to me, rather
than fixing it in their own Nmap tree and then applying the patch to
every future version. On the other hand, they deserve some sort of
"most up-to-date" award. I stuck Nmap 3.71-PRE1 in the dist
directory for a few people to test, and made no announcement or
direct link. The FreeBSD crew found it and upgraded anyway :). The
gcc-workaround patch was apparently submitted to the FreeBSD folks
by Marius Strobl (marius(a)alchemy.franken.de).

Fixed (I hope) an OS detection timing issue which would in some
cases lead to the warning that "insufficient responses for TCP
sequencing (3), OS detection may be less accurate." Thanks to Adam
Kerrison (adam(a)tideway.com) for reporting the problem.

Modified the warning given when files such as nmap-services exist in
both the compiled in NMAPDATADIR and the current working directory.
That message should now only appear once and is more clear.

Fixed ping scan subsystem to work a little bit better when
--scan_delay (or some of the slower -T templates which include a scan
delay) is specified. Thanks to Shahid Khan (khan(a)asia.apple.com)
for suggestions.

Rewrote core port scanning engine, which is now named ultra_scan().
Improved algorithms make this faster (often dramatically so) in
almost all cases. Not only is it superior against single hosts, but
ultra_scan() can scan many hosts (sometimes hundreds) in parallel.
This offers many efficiency/speed advantages. For example, hosts
often limit the ICMP port unreachable packets used by UDP scans to
1/second. That made those scans extraordinarily slow in previous
versions of Nmap. But if you are scanning 100 hosts at once,
suddenly you can receive 100 responses per second. Spreading the
scan amongst hosts is also gentler toward the target hosts. Nmap
can still scan many ports at the same time, as well. If you find
cases where ultra_scan is slower or less accurate, please send a
report (including exact command-lines, versions used, and output, if
possible) to Fyodor.

Added --max_hostgroup option which specifies the maximum number of
hosts that Nmap is allowed to scan in parallel.

Added --min_hostgroup option which specifies the minimum number of
hosts that Nmap should scan in parallel (there are some exceptions
where Nmap will still scan smaller groups -- see man page). Of
course, Nmap will try to choose efficient values even if you don't
specify hostgroup restrictions explicitly.

Rewrote TCP SYN, ACK, Window, and Connect() scans to use
ultra_scan() framework, rather than the old pos_scan().

Rewrote FIN, Xmas, NULL, Maimon, UDP, and IP Protocol scans to use
ultra_scan(), rather than the old super_scan().

Overhauled UDP scan. Ports that don't respond are now classified as
"open|filtered" (open or filtered) rather than "open". The (somewhat
rare) ports that actually respond with a UDP packet to the empty
probe are considered open. If version detection is requested, it
will be performed on open|filtered ports. Any that respond to any of
the UDP probes will have their status changed to open. This avoids a
the false-positive problem where filtered UDP ports appear to be
open, leading to terrified newbies thinking their machine is
infected by back orifice.

Nmap now estimates completion times for almost all port scan types
(any that use ultra_scan()) as well as service scan (version
detection). These are only shown in verbose mode (-v). On scans
that take more than a minute or two, you will see occasional updates
like:
SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining)
New updates are given if the estimates change significantly.

Added --exclude option, which lets you specify a comma-separated
list of targets (hosts, ranges, netblocks) that should be excluded
from the scan. This is useful to keep from scanning yourself, your
ISP, particularly sensitive hosts, etc. The new --excludefile reads
the list (newline-delimited) from a given file. All the work was
done by Mark-David McLaughlin (mdmcl(a)cisco.com> and William McVey
( wam(a)cisco.com ), who sent me a well-designed and well-tested
patch.

Nmap now has a "port scan ping" system. If it has received at least
one response from any port on the host, but has not received
responses lately (usually due to filtering), Nmap will "ping" that
known-good port occasionally to detect latency, packet drop rate,
etc.

Service/version detection now handles multiple hosts at once for
more efficient and less-intrusive operation.

Nmap now wishes itself a happy birthday when run on September 1 in
verbose mode! The first public release was on that date in 1997.

The port randomizer now has a bias toward putting
commonly-accessible ports (80, 22, etc.) near the beginning of the
list. Getting a response early helps Nmap calculate response times and
detect packet loss, so the scan goes faster.

Host timeout system (--host_timeout) overhauled to support host
parallelization. Hosts times are tracked separately, so a host that
finishes a SYN scan quickly is not penalized for an exceptionally
slow host being scanned at the same time.

When Nmap has not received any responses from a host, it can now
use certain timing values from other hosts from the same scan
group. This way Nmap doesn't have to use absolute-worst-case
(300bps SLIP link to Uzbekistan) round trip timeouts and such.

Enabled MAC address reporting when using the Windows version
of Nmap. Thanks to Andy Lutomirski (luto(a)stanford.edu) for
writing and sending the patch.

Workaround crippled raw sockets on Microsoft Windows XP SP2 scans.
I applied a patch by Andy Lutomirski (luto(a)stanford.edu) which
causes Nmap to default to WinPcap sends instead. The WinPcap send
functionality was already there for versions of Windows such as NT and
Win98 that never supported Raw Sockets in the first place.

Changed how Nmap sends ARP requests on Windows to use the iphlpapi
SendARP() function rather than creating it raw and reading the
response from the Windows ARP cache. This works around a
(reasonable) feature of Windows Firewall which ignored such
unsolicited responses. The firewall is turned on by default as of
Windows XP SP2. This change was implemented by Dana Epp
(dana(a)vulscan.com).

Upgraded libpcap from version 0.7.2 to 0.8.3. This was an attempt
to fix an annoying bug, which I then found was actually in my code
rather than libpcap :).

Removed Ident scan (-I). It was rarely useful, and the
implementation would have to be rewritten for the new ultra_scan()
system. If there is significant demand, perhaps I'll put it back in
sometime.

Documented the --osscan_limit option, which saves time by skipping
OS detection if at least one open and one closed port are not found on
the remote hosts. OS detection is much less reliable against such
hosts anyway, and skipping it can save some time.

Updated nmapfe.desktop file to provide better NmapFE desktop support
under Fedora Core and other systems. Thanks to Mephisto
(mephisto(a)mephisto.ma.cx) for sending the patch.

Further nmapfe.desktop changes to better fit the freedesktop
standard. The patch came from Murphy (m3rf(a)swimmingnoodle.com).

Fixed capitalization (with a Perl script) of many over-capitalized
vendor names in nmap-mac-prefixes.

Ensured that MAC address vendor names are always escaped in XML
output if they contain illegal characters (particularly '&'). Thanks
to Matthieu Verbert (mve(a)zurich.ibm.com) for the report and a patch.

Changed xmloutputversion in XML output from 1.0 to 1.01 to note that
there was a slight change (which was actually the MAC stuff in 3.55).
Thanks to Lionel CONS (lionel.cons(a)cern.ch) for the suggestion.

Many Windows portability fix and bug fixes, thanks to patch from
Gisle Vanem (giva(a)bgnett.no). With these changes, he was able to
compile Nmap on Windows using MingW + gcc 3.4 C++ rather than MS
Visual Studio.

Removed (addport) tags from XML output. They used to provide open
ports as they were discovered, but don't work now that the port
scanners scan many hosts at once. They did not specify an IP
address. Of course the appropriate (port) tags are still printed
once scanning of a target is complete.

Configure script now detects GNU/k*BSD systems (whatever those are),
thanks to patch from Robert Millan (rmh(a)debian.org)

Fixed various crashes and assertion failures related to the new
ultra_scan() system, that were found by Arturo "Buanzo" Busleiman
(buanzo(a)buanzo.com.ar), Eric (catastrophe.net), and Bill Petersen
(bill.petersen(a)alcatel.com).

Fixed some minor memory leaks relating to ping and list scanning as
well as the Nmap output table. These were found with Valgrind (
http://valgrind.kde.org/ ).

Fixed some warnings that crop up when compiling Nbase C files with a
C++ compiler. Thanks to Gisle Vanem (giva(a)bgnett.no) for sending
the patch.

Tweaked the License blurb on source files and in the man page. It
clarifies some issues and includes a new GPL exception that
explicitly allows linking with the OpenSSL library. Some people
believe that the GPL and OpenSSL licenses are incompatible without
this special exception.

Added MAC address printing. If Nmap receives packet from a target
machine which is on an Ethernet segment directly connected to the
scanning machine, Nmap will print out the target MAC address. Nmap
also now contains a database (derived from the official IEEE
version) which it uses to determine the vendor name of the target
ethernet interface. The Windows version of Nmap does not yet have
this capability. If any Windows developer types are interesting in
adding it, you just need to implement IPisDirectlyConnected() in
tcpip.cc and then please send me the patch. Here are examples from
normal and XML output:
MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems)
<address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" addrtype="mac" />

Updated the XML DTD to support the newly printed MAC addresses.
Thanks to Thorsten Holz (thorsten.holz(a)mmweg.rwth-aachen.de) for
sending this patch.

Added a bunch of new and fixed service fingerprints for version
detection. These are from Martin Macok
(martin.macok(a)underground.cz).

Modified the mswine32/nmap_performance.reg Windows registry file to
use an older and more compatible version. It also now includes the
value "StrictTimeWaitSeqCheck"=dword:00000001 , as suggested by Jim
Harrison (jmharr(a)microsoft.com). Without that latter value, the
TcpTimedWaitDelay value apparently isn't checked. Windows users
should apply the new registry changes by clicking on the .reg file.
Or do it manually as described in README-WIN32. This file is also
now available in the data directory at
https://svn.nmap.org/nmap/docs/nmap_performance.reg

Applied patch from Gisle Vanem (giva(a)bgnett.no) which allows the
Windows version of Nmap to work with WinPCAP 3.1BETA (and probably
future releases). The WinPcap folks apparently changed the encoding
of adapter names in this release.

If a user attempts -PO (the letter O), print an error suggesting
that they probably mean -P0 (Zero) to disable ping scanning.

Applied a couple patches (with minor changes) from Oliver Eikemeier
(eikemeier(a)fillmore-labs.com) which fix an edge case relating to
decoy scanning IP ranges that must be sent through different
interfaces, and improves the Nmap response to certain error codes
returned by the FreeBSD firewall system. The patches are from
http://cvsweb.freebsd.org/ports/security/nmap/files/ .

Many people have reported this error: "checking for type of 6th
argument to recvfrom()... configure: error: Cannot find type for 6th
argument to recvfrom()". In most cases, the cause was a missing or
broken C++ compiler. That should now be detected earlier with a
clearer message.

Fixed some minor bugs related to the new MAC address printing
feature.

Fixed a problem with UDP-scanning port 0, which was reported by
Sebastian Wolfgarten (sebastian(a)wolfgarten.com).

Applied patch from Ruediger Rissmann (RRI(a)zurich.ibm.com), which
helps Nmap understand an EACCESS error, which can happen at least
during IPv6 scans from certain platforms to some firewalled targets.

Renamed ACK ping scan option from -PT to -PA in the documentation.
Nmap has accepted both names for years and will continue to do
so.

Removed the notice that Nmap is reading target specifications from a
file or stdin when you specify the -iL option. It was sometimes
printed to stdout even when you wanted to redirect XML or grepable
output there, because it was printed during options processing before
output files were handled. This change was suggested by Anders Thulin
(ath(a)algonet.se).

Added --source_port as a longer, but hopefully easier to remember,
alias for -g. In other words, it tries to use the constant source
port number you specify for probes. This can help against poorly
configured firewalls that trust source port 20, 53, and the like.

Removed undocumented (and useless) -N option.

Fixed a version detection crash reported in excellent detail by
Jedi/Sector One (j(a)pureftpd.org).

Modified the configure/build system to fix library ordering problems
that prevented Nmap from building on certain platforms. Thanks to
Greg A. Woods (woods(a)weird.com) and Saravanan
(saravanan_kovai(a)HotPop.com) for the suggestions.

Applied a patch to Makefile.in from Scott Mansfield
(thephantom(a)mac.com) which enables the use of a DESTDIR variable
to install the whole Nmap directory structure under a different root
directory. The configure --prefix option would do the same thing in
this case, but DESTDIR is apparently a standard that package
maintainers like Scott are used to. An example usage is
"make DESTDIR=/tmp/packageroot".

Removed unnecessary banner printing in the non-root connect() ping
scan. Thanks to Tom Rune Flo (tom(a)x86.no) for the suggestion and
a patch.

Updated the headers at the top of each source file (mostly to
advance the copyright year to 2004 and note that Nmap is a registered
trademark).

The SInfo line of submitted fingerprints now provides the target's
OUI (first three bytes of the MAC address) if available. Example:
"M=00A0CC". To save a couple bytes, the "Time" field in SInfo has
been renamed to "Tm". The OUI helps identify the device vendor, and
is only available when the source and target machines are on the
same ethernet network.

Integrated a ton of service fingerprints, increasing the number of
signatures more than 50%. It has now exceeded 1,000 for the first
time, and represents 180 unique service protocols from acap, afp,
and aim to xml-rpc, zebedee, and zebra.

Implemented a huge OS fingerprint update. The number of
fingerprints has increased more than 13% to 1,121. This is the first
time it has exceeded 1000. Notable updates include Linux 2.6.0, Mac
OS X up to 10.3.2 (Panther), OpenBSD 3.4 (normal and pf "scrub all"),
FreeBSD 5.2, the latest Windows Longhorn warez, and Cisco PIX 6.3.3.
As usual, there are a ton of new consumer devices from ubiquitous
D-Link, Linksys, and Netgear broadband routers to a number of new IP
phones including the Cisco devices commonly used by Vonage. Linksys
has apparently gone special-purpose with some of their devices, such
as their WGA54G "Wireless Game Adapter" and WPS54GU2 wireless print
server. A cute little MP3 player called the Rio Karma was submitted
multiple times and I also received and integrated fingerprints for the
Handspring Treo 600 (PalmOS).

Added version scan information to grepable output between the last
two '/' delimiters (that space was previously unused). So the format
is now "portnum/state/protocol/owner/servicename/rpcinfo/versioninfo"
as in "53/open/tcp//domain//ISC Bind 9.2.1/" and
"22/open/tcp//ssh//OpenSSH 3.5p1 (protocol 1.99)/". Thanks to
MadHat (madhat(a)unspecific.com) for sending a patch (although I did
it differently). Note that any '/' characters in the
version (or owner) field are replaced with '|' to keep awk/cut
parsing simple. The service name field has been updated so that it
is the same as in normal output (except for the same sort of
escaping discussed above).

Integrated an Oracle TNS service probe and match lines contributed
by Frank Berger (fm.berger(a)gmx.de). New probe contributions are
always appreciated!

Fixed a crash that could happen during SSL version detection due to
SSL session ID cache reference counting issues.

Applied patch to nmap XML dtd (nmap.dtd) from Mario Manno
(mm(a)koeln.ccc.de). This accounts for the new version scanning
functionality.

Updated the Windows build system so that you don't have to manually
copy nmap-service-probes to the output directory. I also updated
the README-WIN32 to elaborate further on the build process.

Added configure option --with-libpcre=included which causes Nmap to
build with its included version of libpcre even if an acceptable
version is available on the system.

Upgraded to Autoconf 2.59 (from 2.57). This should help HP-UX
compilation problems reported by Petter Reinholdtsen
(pere(a)hungry.com) and may have other benefits as well.

Applied patch from Przemek Galczewski (sako(a)avet.com.pl) which
adds spaces to the XML output in places that apparently help certain
older XML parsers.

Made Ident-scan (-I) limits on the length and type of responses
stricter so that rogue servers can't flood your screen with 1024
characters. The new length limit is 32. Thanks to Tom Rune Flo
(tom(a)x86.no) for the suggestion and a patch.

Fingerprints for unrecognized services can now be a bit longer to
avoid truncating as much useful response information. While the
fingerprints can be longer now, I hope they will be less frequent
because of all the newly recognized services in this version.

The nmap-service-probes "match" directive can now take a service
name like "ssl/vmware-auth". The service will then be reported as
vmware-auth (or whatever follows "ssl/") tunneled by SSL, yet Nmap
won't actually bother initiating an SSL connection. This is useful
for SSL services which can be fully recognized without the overhead
of making an SSL connection.

Version scan now chops commas and whitespace from the end of
vendorproductname, version, and info fields. This makes it easier to
write templates incorporating lists. For example, the tcpmux service
(TCP port 1) gives a list of supported services separated by CRLF.
Nmap uses this new feature to print them comma separated without
having an annoying trailing comma as so (linewrapped):

Added the ability to execute "helper functions" in version
templates, to help clean up/manipulate data captured from a server
response. The first defined function is P() which includes only
printable characters in a captured string. The main impetus for
this is to deal with Unicode strings like
"W\0O\0R\0K\0G\0R\0O\0U\0P\0" that many MS protocols send. Nmap can
now decode that into "WORKGROUP".

Added SUBST() helper function, which replaces strings in matched
appname/version/extrainfo strings with something else. For example,
VanDyke Vshell gives a banner that includes
"SSH-2\.0-VShell_2_2_0_528". A substring match is used to pick out
the string "2_2_0_528", and then SUB21ST(1,"_",".") is called on that
match to form the version number 2.2.0.528.

If responses to a probe fail to match any of the registered match
strings for that probe, Nmap will now try against the registered "null
probe" match strings. This helps in the case that the NULL probe
initially times out (perhaps because of initial DNS lookup) but the
banner appears in later responses.

Applied some portability fixes (particularly for OpenBSD) from Chad
Loder (cloder(a)loder.us), who is also now the OpenBSD Nmap port
maintainer.

The tarball distribution of Nmap now strips the binary at install
time thanks to a patch from Marius Strobl
(marius(a)alchemy.franken.de).

Fixed a problem related to building Nmap on systems that lack PCRE
libs (and thus have to use the ones included by Nmap). Thanks to Remi
Denis-Courmont (deniscr6(a)cti.ecp.fr) for the report and patch.

Alphabetized the service names in each Probe section in
nmap-service-probes (makes them easier to find and add to).

Fixed the problem several people reported where Nmap would quit with
a "broken pipe" error during service scanning. Thanks to Jari Ruusu
(jari.ruusu(a)pp.inet.fi) for sending a patch. The actual error
message was "Unexpected error in NSE_TYPE_READ callback. Error
code: 32 (Broken pipe)"

Fixed protocol scan (-sO), which I had broken when adding the new
output table format. It would complain "NmapOutputTable.cc:128:
failed assertion `row < numRows'". Thanks to Matt Burnett
(marukka(a)mac.com) for notifying me of the problem.

Upgraded Libpcap to the latest tcpdump.org version (0.7.2) from
0.7.1

Applied a patch from Peter Marschall (peter(a)adpm.de) which adds
version detection support to nmapfe.

Fixed a problem with XML output being invalid when service detection
was done on SSL-tunneled ports. Thanks to the several people who
reported this - it means that folks are actually using the XML
output :).

Fixed the --with-openssl configure option for people who have
OpenSSL installed in a path not automatically found by their
compilers. Thanks to Marius Strobl (marius(a)alchemy.franken.de) for
the patch.

Made some portability changes for HP-UX and possibly other types of
machines, thanks to a patch from Petter Reinholdtsen (pere(a)hungry.com)

Applied a patch from Matt Selsky (selsky(a)columbia.edu) which fixes
compilation on some Solaris boxes, and maybe others. The error said
"cannot compute sizeof (char)"

Applied some patches from the NetBSD ports tree that Hubert Feyrer
(hubert.feyrer(a)informatik.fh-regensburg.de) sent me. The NetBSD
Nmap ports page is at http://www.NetBSD.org/packages/net/nmap/ .

Added new HTTPOptions and RTSPRequest probes suggested by MadHat
(madhat(a)unspecific.com)

Changed the .spec file to compile Nmap RPMs without SSL support to
improve compatibility (Some users might not have OpenSSL, and even
those who do might not have the right version (libopenssl.so.2 vs
libopenssl.so.4, etc).

Applied a patch from Solar Eclipse (solareclipse(a)phreedom.org)
which increases the allowed size of the 'extrainfo' version field from
80 characters to 128. The main benefit is to allow longer apache module
version strings.

Applied some updates to README-WIN32 sent in by Kirby Kuehl
(kkuehl(a)cisco.com). He improved the list of suggested registry
changes and also fixed a typo or two. He also attached a .reg file
automate the Nmap connect() scan performance enhancing registry
changes. I am now including that with the Nmap Windows binary .zip
distribution (and in mswin32/ of the source distro).

Applied a one-line patch from Dmitry V. Levin (ldv(a)altlinux.org)
which fixes a test Nmap does during compilation to see if an existing
libpcap installation is recent enough.

Wrote and posted a new paper on version scanning to
https://nmap.org/book/vscan.html . Updated nmap-service-probes and
the Nmap man page to simply refer to this URL.

Integrated more service signatures from my own scanning as well as
contributions from Brian Hatch (bri(a)ifokr.org), MadHat
(madhat(a)unspecific.com), Max Vision (vision(a)whitehats.com), HD
Moore (hdm(a)digitaloffense.net), Seth Master
(smaster(a)stanford.edu), and Niels Heinen (zillion(a)safemode.org).
MadHat also contributed a new probe for Windows Media Service. Many
people set a LOT of signatures, which has allowed
nmap-service-probes to grow from 295 to 356 signatures representing
85 service protocols!

Applied a patch (with slight changes) from Brian Hatch
(bri(a)ifokr.org) which enables caching of SSL sessions so that
negotiation doesn't have to be repeated when Nmap reconnects to the same
between probes.

Applied a patch from Brian Hatch (bri(a)ifokr.org) which optimizes the
requested SSL ciphers for speed rather than security. The list was
based on empirical evidence from substantial benchmarking he did with
tests that resemble nmap-service-scanning.

Updated the Nmap man page to discuss the new version scanning
options (-sV, -A).

I now include nmap-version/aclocal.m4 in the distribution as this is
required to rebuild the configure script (thanks to Dmitry V. Levin
(ldv(a)altlinux.org) for notifying me of the problem).

Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which
detects whether the PCRE include file is <pcre.h> or <pcre

Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which
fixes typos in some error messages. The patch apparently came from
the highly-secure and stable Owl and Alt Linux distributions. Check
them out at http://www.openwall.com/Owl/ and
http://www.altlinux.com/

Stripped down libpcre build system to remove libtool dependency and
other cruft that Nmap doesn't need (this was mostly a response to
libtool-related issues on Mac OS X).

Added a new --version_trace option which causes Nmap to print out extensive
debugging info about what version scanning is doing (this is a subset
of what you would get with --packet_trace). You should usually use
this in combination with at least one -d option.

Fixed a port number printing bug that would cause Nmap service
fingerprints to give a negative port number when the actual port was
above 32K. Thanks to Seth Master (smaster(a)stanford.edu) for finding
this.

Updated all the header text again to clarify our interpretation of
"derived works" after some suggestions from Brian Hatch
(bri(a)ifokr.org)

Fixed a compilation problem on systems w/o OpenSSL that was
discovered by Solar Designer. I also fixed some compilation
problems on non-IPv6 systems. It now compiles and runs on my
Solaris and ancient OpenBSD systems.

Integrated more services thanks to submissions from Niels Heinen
(zillion(a)safemode.org).

Canonicalized the headers at the top of each Nmap/Nsock header source
file. This included clarifying our interpretation of derived works,
updating the copyright date to 2003, making the header a bit wider,
and a few other light changes. I've been putting this off for a
while, because it required editing about a hundred !#$# files!

Fixed a major bug in the Nsock time caching system. This could
cause service detection to inexplicably fail against certain ports in
the second or later machines scanned. Thanks to Solar Designer and HD
Moore for helping me track this down.

Fixed some *BSD compilation bugs found by
Zillion (zillion(a)safemode.org).

Integrated more services thanks to submissions from Fyodor Yarochkin
(fygrave(a)tigerteam.net), and Niels Heinen
(zillion(a)safemode.org), and some of my own exploring. There are
now 295 signatures.

Fixed a compilation bug found by Solar Designer on machines that
don't have struct sockaddr_storage. Nsock now just uses "struct
sockaddr *" like connect() does.

Fixed a bug found by Solar Designer which would cause the Nmap
portscan table to be truncated in -oN output files if the results are
very long.

Changed a bunch of large stack arrays (e.g. int portlookup[65536])
into dynamically allocated heap pointers. The large stack variables
apparently caused problems on some architectures. This issue was
reported by osamah abuoun (osamah_abuoun(a)hotmail.com).

Added an 'sslports' directive to nmap-service-probes. This tells
Nmap which service checks to try first for SSL-wrapped ports. The
syntax is the same as the normal 'ports' directive for non-ssl ports.
For example, the HTTP probe has an 'sslports 443' line and
SMTP-detecting probes have and 'sslports 465' line.

Integrated more services thanks to submissions from MadHat
(madhat(a)unspecific.com), Solar Designer (solar(a)openwall.com), Dug
Song (dugsong(a)monkey.org), pope(a)undersec.com, and Brian Hatch
(bri(a)ifokr.org). There are now 288 signatures, matching these 65
service protocols:

Added SSL-scan-through support. If service detection finds a port to be
SSL, it will transparently connect to the port using OpenSSL and use
version detection to determine what service lies beneath. This
feature is only enabled if OpenSSL is available at build time. A
new --with-openssl=DIR configure option is available if OpenSSL is
not in your default compiler paths. You can use --without-openssl
to disable this functionality. Thanks to Brian Hatch
(bri(a)ifokr.org) for sample code and other assistance. Make sure
you use a version without known exploitable overflows. In
particular, versions up to and including OpenSSL 0.9.6d and
0.9.7-beta2 contained serious vulnerabilities described at
http://www.openssl.org/news/secadv_20020730.txt . Note that these
vulnerabilities are well over a year old at the time of this
writing.

Integrated many more services thanks to submissions from Brian
Hatch, HellNBack ( hellnbak(a)nmrc.org ), MadHat, Solar Designer,
Simple Nomad, and Shawn Wallis (swallis(a)ku.edu). The number of
signatures has grown from 242 to 271. Thanks!

Fixed a segfault found by Solar Designer that could occur when
scanning certain "evil" services.

Fixed a problem reported by Solar Designer and MadHat (
madhat(a)unspecific.com ) where Nmap would bail when certain Apache
version/info responses were particularly long. It could happen in
other cases as well. Now Nmap just prints a warning.

Integrated many more services thanks to submissions from Simple
Nomad, Solar Designer, jerickson(a)inphonic.com, Curt Wilson, and
Marco Ivaldi. Thanks! The match line count has risen from 201 to 242.

Implemented a service classification scheme to separate the
vendor/product name from the version number and any extra info that
is provided. Instead of v/[big version string]/, the new match
lines include v/[vendor/productname]/[version]/[extrainfo]/ . See
the docs at the top of nmap-service-probes for more info. This
doesn't change the normal output (which lumps them together anyway),
but they are separate in the XML so that higher-level programs can
easily match against just a product name. Here are a few examples
of the improved service element:

I went through nmap-service-probes and added the vendor name to more
entries. I also added the service name where the product name
itself didn't make that completely obvious.

SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken
to an extortion campaign of demanding license fees from Linux users
for code that they themselves knowingly distributed under the terms
of the GNU GPL. They have also refused to accept the GPL, claiming
that some preposterous theory of theirs makes it invalid. Meanwhile
they have distributed GPL-licensed Nmap in (at least) their
"Supplemental Open Source CD". In response to these blatant
violations, and in accordance with section 4 of the GPL, we hereby
terminate SCO's rights to redistribute any versions of Nmap in any
of their products, including (without limitation) OpenLinux,
Skunkware, OpenServer, and UNIXWare.

Added "soft matches". These are similar to normal match lines in
that they provide a regex for recognizing a service (but no version).
But instead of stopping at softmatch service recognition, the scan
continues looking for more info. It only launches probes that are
known-capable of matching the softmatched service. If no version
number is found, at least the determined service is printed. A
service print for submission is also provided in that case. So this
provides more informative results and improves efficiency.

Cleaned up the Windows support a bit and did more testing and
fixing. Windows service detection seems to be working fine for me
now, although my testing is still pretty limited. This release
includes a Windows binary distribution and the README-WIN32 has been
updated to reflect new compilation instructions.

More service fingerprints! Thanks to Solar Designer, Max Vision,
Frank Denis (Jedi/Sector One) for the submissions. I also added a
bunch from my own testing. The number of match lines went from 179
to 201.

Updated XML output to handle new version and service detection
information. Here are a few examples of the new output:

Fixed issue where Nmap would quit when ECONNREFUSED was returned
when we try to read from an already-connected TCP socket. FreeBSD
does this for some reason instead of giving ECONNRESET. Thanks to
Will Saxon (WillS(a)housing.ufl.edu) for the report.

Removed the SERVICEMATCH_STATIC match type from
nmap-service-probes. There wasn't much benefit of this over regular
expressions, so it isn't worth maintaining the extra code.

Added/fixed numerous service fingerprints thanks to submissions from
Max Vision, MadHat, Seth Master. Match lines went
from 164 to 179.

The WinPcap libraries used in the Windows build process have been
upgraded to version 3.0.

Most of the Windows port is complete. It compiles and service scan
works (I didn't test very deeply) on my WinXP box with VS.Net 2003.
I try to work out remaining kinks and do some cleanup for the next
version. The Windows code was restructured and improved quite a bit,
but much more work remains to be done in that area. I'll probably
do a Windows binary .zip release of the next version.

Service scan is now OFF by default. You can activate it with -sV.
Or use the snazzy new -A (for "All recommended features" or
"Aggressive") option which turns on both OS detection and service
detection.

Fixed compilation on my ancient OpenBSD 2.3 machine (a Pentium 60 :)

Added/fixed numerous service fingerprints thanks to submissions from
Brian Hatch, HD Moore, Anand R., and some of my own testing. The
number of match lines in this version grows from 137 to 164! Please
keep 'em coming!

Various important and not-so-important fixes for bugs I encountered
while test scanning.

The RPC grinder no longer prints a startup message if it has no
RPC-detected ports to scan.

Some of the service fingerprint length limitations are relaxed a bit
if you enable debugging (-d).

Added a whole bunch of services submitted by Brian Hatch
(bri(a)ifokr.org). I also added a few Windows-related probes.
Nmap-service-probes has gone from 101 match strings to 137. Please
keep the submissions coming.

The question mark now only appears for ports in the OPEN state and
when service detection was requested.

I now print a separator bar between service fingerprints when Nmap
prints more than one for a given host so that users understand to
submit them individually (suggested by Brian Hatch (bri(a)ifokr.org))

Fixed a bug that would cause Nmap to print "empty" service
fingerprints consisting of just a semi-colon. Thanks to Brian Hatch
(bri(a)ifokr.org) for reporting this.

Banner-scanned hundreds of thousands of machines for ports
21,23,25,110,3306 to collect default banners. Where the banner made
the service name/version obvious, I integrated them into
nmap-service-probes. This increased the number of 'match' lines from
27 to more than 100.

Changed the service fingerprint format slightly for easier
processing by scripts.

Applied a large portability patch from Albert Chin-A-Young
(china(a)thewrittenword.com). This cleans up a number of things,
particularly for IRIX, Tru64, and Solaris.

Applied NmapFE patch from Peter Marschall (peter(a)adpm.de) which
"makes sure changes in the relay host and scanned port entry fields
are displayed immediately, and also keeps the fields editable after
de- and reactivating them."

Limited the size of service fingerprints to roughly 1024 bytes.
This was suggested by Niels Heinen (niels(a)heinen.ws), because the previous
limit was excessive. The number of fingerprints printed is also now
limited to 10.

Fixed a segmentation fault that could occur when ping-scanning large
networks.

Fixed service scan to gracefully handle host_timeout occurrences when
they happen during a service scan.

Fixed a service_scan bug that would cause an error when hosts send
data and then close() during the NULL probe (when we haven't sent
anything).

Applied a patch from Solar Designer (solar(a)openwall.com) which
corrects some errors in the Russian man page translation and also a
couple typos in the regular man page. Then I spell-checked the man
page to reduce future instances of foreigners sending in diffs to
correct my English :).

Nmap now has a simple VERSION detection scheme. The 'match' lines in
nmap-service-probes can specify a template version string
(referencing subexpression matches from the regex in a Perl-like
manner) so that the version is determined at the same time as the
service. This handles many common services in a highly efficient
manner. A more complex form of version detection (that initiates
further communication w/the target service) may be necessary
eventually to handle services that aren't as forthcoming with
version details.

The Nmap port state table now wastes less whitespace due to using a new
and stingy NmapOutputTable class. This makes it easier to read, and
also leaves more room for version info and possibly other enhancements.

Added 's' option to match lines in nmap-service-probes. Just as
with the Perl 's' option, this one causes '.' in the regular
expression to match any character INCLUDING newline.

The WinPcap header timestamp is no longer used on Windows as it
sometimes can be a couple seconds different than gettimeofday() (which
is really _ftime() on Windows) for some reason. Thanks to Scott
Egbert (scott.egbert(a)citigroup.com) for the report.

Applied a patch by Matt Selsky (selsky(a)columbia.edu) which fixes
configure.in in such a way that the annoying header file "present but
cannot be compiled" warning for Solaris.

Applied another patch from Matt that (we hope) fixes the "present
but cannot be compiled" warning -- this time for Mac OS X.

Initial implementation of service detection. Nmap will now probe
ports to determine what is listening, rather than guessing based on
the nmap-services table lookup. This can be very useful for
services on unidentified ports and for UDP services where it is not
always clear (without these probes) whether the port is really open
or just firewalled. It is also handy for when services are run on
the well-known-port of another protocol -- this is happening more
and more as users try to circumvent increasingly strict firewall
policies.

Nmap now uses the excellent libpcre (Perl Compatible Regular
Expressions) library from http://www.pcre.org/ . Many systems
already have this, otherwise Nmap will use the copy it now includes.
If your libpcre is hidden away in some nonstandard place, give
./configure the new --with-libpcre=DIR directive.

Nmap now uses the C++ Standard Template Library (STL). This makes
programming easier, but if it causes major portability or bloat
problems, I'll reluctantly remove it.

Applied a patch from Javier Kohen (jkohen(a)coresecurity.com) which
normalizes the names of many Microsoft entries in the
nmap-os-fingerprints file.

Applied a patch by Florin Andrei (florin(a)sgi.com) to the Nmap RPM
spec file. This uses the 'Epoch' flag to prevent the Redhat Network
tool from marking my RPMs as "obsolete" and "upgrading" to earlier
Redhat-built versions. A compilation flag problem is also fixed.

Implemented the largest-ever OS fingerprint update! Roughly 300
fingerprints were added/modified. These massive changes span the
gamut from AIX 5.1 to the ZyXEL Prestige broadband router line.
Notable updates include OpenBSD 3.3, FreeBSD 5.1, Mac OS X 10.2.6,
Windows 2003 server, and more WAPs and broadband routers than you
can shake a stick at. Someone even submitted a fingerprint for
Debian Linux running on the Microsoft Xbox. You have to love that
irony :). Thanks to everyone who submitted fingerprints using the
URL Nmap gives you when it gets a clean reading but is stumped. The
fingerprint DB now contains almost 1000 fingerprints.

Went through every one of the fingerprints to normalize the
descriptions a bit. I also looked up what all of the devices are
(thanks E*Bay and Google!). Results like "Nexland ISB Pro800 Turbo"
and "Siemens 300E Release 6.5" are much more useful when you add the
words "cable modem" and "business phone system"

Added a new classification system to nmap-os-fingerprints. In
addition to the standard text description, each entry is now
classified by vendor name (e.g. Sun), underlying OS (e.g. Solaris),
OS generation (e.g. 7), and device type ("general purpose", router,
switch, game console, etc). This can be useful if you want to (say)
locate and eliminate the SCO systems on a network, or find the
wireless access points (WAPs) by scanning from the wired side.

Classification system described above is now used to print out a
"device type" line and OS categories for matches. The free-form
English details are still printed as well. Nmap can sometimes
provide classifications even where it used to provide nothing
because of "too many matches". These have been added to XML output
as well. They are not printed for the "grepable output", as I
consider that format deprecated.

Nmap will now sometimes guess in the "no exact matches" case, even
if you don't use the secret --osscan_guess or -fuzzy options.

Applied another huge NmapFE patch from Peter Marschall
(peter(a)adpm.de). This revamps the interface to use a tabbed
format that allows for many more Nmap options to be used. It also
cleans up some crufty parts of the code. Let me and Peter know what
you think (and if you encounter any problems).

Windows and Amiga ports now use packet receive times from libpcap.
Let me know if you get any "time computation problem" errors.

Updated version of the Russian man page translation from Alex Volkov
(alex(a)cherepovets-city.ru).

Fixed (I hope) an issue that would cause Nmap to print "Serious time
computation problem in adjust_timeout ..." and quit. The ultimate
cause was demonstrated by this --packet_trace snippet that Russel
Miller (rmiller(a)duskglow.com) sent me:
SENT (0.0500s) ICMP 0.0.0.0 > 127.0.0.1 Echo request (type=8/code=0) ...
RCVD (0.0450s) ICMP 127.0.0.1 > 127.0.0.1 Echo reply (type=0/code=0) ...
As you can see, the ping reply appears to come BEFORE the request
was sent(!). This sort of thing happens on at least Linux and
Windows. The send time is obtained from gettimeofday(timeval, NULL),
while receive time libpcap packet header. If anyone knows why this
occurs, or (even better) knows a good way to fix it, let me know.
For now, I am allowing the response to come up to .05s "before" the
request. That is gross.

For years, Nmap has added -I/usr/local/include and -L/usr/local/lib
to the compiler line to grab local libraries. I have removed this
behavior by default, and added a '--with-localdirs' configure option
that adds it back. If Nmap fails to compile now without the above
option, please let me know. I can change the default back if this
change causes more problems than it solves. People (such as certain
ports tree packagers) who know they don't want /usr/local should
specify --without-localdirs rather than relying on that always being
the default.

Fixed (I hope) a problem that led to the error message "Assertion
`tqi->sockets[probe_port_num][seq] == -1' failed".

Fixed a problem that would cause Nmap on Windows to send ICMP ping
packets from 0.0.0.0 instead of the appropriate source IP. Thanks
to Yeti (boxed(a)blueyonder.co.uk) for the report.

Applied some changes from Solar Designer (solar(a)openwall.com)
which fix some typos and also suggest safer /tmp/ behavior in the
HACKING file and Lithuanian man page. These changes are for the
Nmap package of his Openwall GNU/*/Linux (Owl) distribution.
(http://www.openwall.com/Owl/)

For Solaris, I now define NET_SIZE_T to size_t rather than socklen_t
in nmap.h. Isn't that exciting?!!! Hopefully this will help
compilation on Solaris 2.6 (and perhaps earlier). If any Solaris
users notice new compilation problems, please let me know. Thanks to
Al Smith (Al.Smith(a)aeschi.ch.eu.org) for reporting the issue.

Removed an errant getopt() prototype in nbase/getopt.h which should
hopefully improve compilation on certain Solaris boxes and BSD
variants.

SCO operating systems are no longer supported due to their recent
(and absurd) attacks against Linux and IBM. Bug reports relating to
UnixWare will be ignored, or possibly even laughed at derisively.
Note that I have no reason to believe anyone has ever used Nmap on
SCO systems. UnixWare and OpenServer suck.

Fixed a problem with small --max_parallelism values when non-root ping
scanning that would cause Nmap to say "sendconnecttcpquery: Could
not scavenge a free socket!" and quit. Problem was reported by
Justin A (justin(a)bouncybouncy.net) as Debian Bug #195463.

Applied (with a few modifications) a large NmapFE patch from Peter
Marschall (peter(a)adpm.de). This patch adds a bunch more scan/ping
options and cleans up some redundant NmapFE code.

Included new Russian man page translation by Alex Volkov
(alex(a)cherepovets-city.ru)

Changed many single-quotes (') into double quotes (") in the man
page due to a disagreement over whether to represent them as (') or
(\') in nroff.

Included --packet_trace support for Explicit Congestion Notification
(RFC 2481/3168) flags thanks to a patch sent in by Maik Pfeil
(root(a)bundesspionageministerium.de)

Included --packet_trace support for a few (unusual) ICMP types in
case Nmap receives them. The patch was also sent by Maik Pfeil.

Made "-g -Wall" compiler flags dependent on availability of gcc/g++
sine some other compilers do not support them.

I spam-protected the email addresses in this file. I fervently hope
that within 5 years we will be able to defeat this scourge through
technology and laws, so that we may again list our email addresses
openly without fear of abuse by criminal spammers. Oh, and it would
be a shame if the spiders went through this whole page and only
found uce@ftc.gov, rhundt@fcc.gov, jquello@fcc.gov, sness@fcc.gov,
president@whitehouse.gov, haesslich@loyalty.org, and rchong@fcc.gov.

Nmap now compiles under Amiga thanks to patches sent by Diego
Casorran (dcr8520(a)amiga.org).

Fixed a backwards WIN32 ifdef that broke UDP and small-fragment
scans for some operating systems other than Linux and Windows.
Thanks to Guido van Rooij (guido(a)gvr.org) for reporting the problem
and sending a patch.

Applied patch from Marius Strobl (marius(a)alchemy.franken.de) which improves
the definition of NET_SIZE_T on FreeBSD so that it compiles on
64-bit platforms.

Fixed Mac OS X Compilation (at least on most of the machines
tested). You will probably need to type
"./configure CPP=/usr/bin/cpp" instead of simply "./configure". If
you still have trouble, drop me an email. Thanks to everyone who
provided or offered shell accounts!

Fixed a segmentation fault several people reported that was
introduced in 3.25. This problem manifests itself intermittently
in many normal situations involving large-network scanning. So all
3.25 users are urged to upgrade. Pre-3.25 users should upgrade too,
since 3.25 included so many improvements :).

I added UDP-based "ping" scanning. The -PU option can take an
optional portlist like the TCP "ping" options (-PS, -PA), but it sends
a UDP packet to the targets and expects hosts that are up to reply
with a port unreachable (or possibly a UDP response if the port is
open). This one is likely to work best against closed ports, since
many open ports don't respond to empty requests.

Fixed an "assertion failure" which would cause Nmap to exit when you
specify a --max_rtt_timeout below 3000. Thanks to Tammy Rathbun
(rathbun2(a)llnl.gov) and Jan Roger Wilkens (jrw(a)proseq.net) for
reporting this.

Packet receive times are now obtained from libpcap rather than
simply using the time the packets are passed to Nmap. This should
improve performance slightly. I was not able to get this to work
properly on Windows (either pcap or raw) -- join the nmap-dev list
if you have ideas.

Fixed bug that caused Nmap to ignore certain RST responses when you
do both -PS and -PA.

Modified ping scan to work better when many instances of Nmap are
executed concurrently.

I'm now linking directly to the gzip compressed version of Nmap on
the homepage as well as the .bz2.

Made numerous improvements to the timing behavior of "-T Aggressive"
(same as -T4) scans. It is now recommended for regular use by
impatient people with a fast connection. "-T Insane" mode has also
been updated, but we only recommend that for, well, insane people.

Made substantial changes to the SYN/connect()/Window scanning
algorithms for improved speeds, especially against heavily filtered
hosts. If you notice any timing problems (misidentified ports,
etc.), please send me the details (including full Nmap output and a
description of what is wrong). Reports of any timing problems with
-T4 would be helpful as well.

Changed Nmap such that ALL syn scan packets are sent from the port
you specify with -g. Retransmissions used to utilize successively
higher ports. This change has a downside in that some operating
systems (such as Linux) often won't reply to the retransmissions
because they reuse the same connection specifier quad
(srcip:srcport:dstip:dstport). Overall I think this is a win.

Added timestamps to "Starting nmap" line and each host port scan in
verbose (-v) mode. These are in ISO 8601 standard format because
unlike President Bush, we actually care about International
consensus :).

I added support for a brand new "port" that many of you may have
never scanned before! UDP & TCP "port 0" (and IP protocol 0) are now
permitted if you specify 0 explicitly. An argument like "-p -40"
would still scan ports 1-40. Unlike ports, protocol 0 IS now scanned
by default. This now works for ping probes too (e.g., -PS, -PA).

Applied patch by Martin Kluge (martin(a)elxsi.info) which adds --ttl
option, which sets the outgoing IPv4 TTL field in packets sent via
all raw scan types (including ping scans and OS detection). The
patch "should work" on Windows, but hasn't been tested. A TTL of 0
is supported, and even tends to work on a LAN:

I added a new --datadir command line option which allows you to
specify the highest priority directory for Nmap data files
nmap-services, nmap-os-fingerprints, and nmap-rpc. Any files which
aren't in the given dir, will be searched for in the $NMAPDIR
environmental variable, ~/nmap/, a compiled in data directory
(e.g. /usr/share/nmap), and finally the current directory.

Included new Latvian man page translation by
"miscelerious options" (misc(a)inbox.lv)

Fixed Solaris compilation when Sun make is used rather than GNU
make. Thanks to Tom Duffy (tduffy(a)sun.com) for assistance.

Applied patch from Stephen Bishop (sbishop(a)idsec.co.uk) which
prevents certain false-positive responses when Nmap raw TCP ping scans
are being run in parallel.

To emphasize the highly professional nature of Nmap, I changed all
instances of "fucked up" in error message text into "b0rked".

Fixed a problem with nmap-frontend RPMs that would cause a bogus
/bin/xnmap link to be created (it should only create
/usr/bin/xnmap). Thanks to Juho Schultz
(juho.schultz(a)astro.helsinki.fi) for reporting the problem.

I made the maximum number of allowed routes and interfaces allowed
on the scanning machine dynamic rather than hardcoded #defines of 1024
and 128. You never know -- some wacko probably has that many :).

Updated Makefile to better-detect if it can't make nmapfe and
provide a clearer error message. Also fixed a couple compiler
warnings on some *BSD platforms.

Applied patch from "Max" (nmap(a)webwizarddesign.com) which adds the
port owner to the "addport" XML output lines which are printed (only
in verbose mode, I think) as each open port is discovered.

I killed the annoying whitespace that is normally appended after the
service name. Now it is only there when an owner was found via -sI
(in which case there is a fourth column and so "service" must be
exactly 24 characters).

Reworked the "ping scan" algorithm (used for any scan except -P0 or
-sL) to be more robust in the face of low-bandwidth and congested
connections. This also improves reliability in the multi-port and
multi-type ping cases described below.

"Ping types" are no longer exclusive -- you can now do combinations
such as "-PS22,53,80 -PT113 -PN -PE" in order to increase your odds of
passing through strict filters. The "PB" flag is now deprecated
since you can achieve the same result via "PE" and "PT" options.

Upgraded libpcap from version 0.6.2 to 0.7.1. Updated the
libpcap-possiblymodified/NMAP_MODIFICATIONS file to give a much
more extensive list (including diffs) of the changes included
in the Nmap bundled version of Libpcap.

Applied patch to fix a libpcap alignment bug found by Tom Duffy
(tduffy(a)sun.com).

Fixed Windows compilation.

Applied patch by Chad Loder (cloder(a)loder.us) of Rapid7 which
fixes OpenBSD compilation. I believe Chad is now the official
OpenBSD Nmap "port" maintainer. His patch also adjusted
random-scan (-iR) to include the recently allocated 82.0.0.0/8
space.

Fixed (I hope) a few compilation problems on
non-IPv6-enabled machines which were noted by Josef 'Jupp'
Schugt (jupp(a)gmx.de)

Included some man page translations which were inadvertently
missed in previous tarballs.

Applied patch from Matthieu Verbert (mve(a)zurich.ibm.com) which
places the Nmap man pages under ${prefix}/share/man rather than
${prefix}/man when installed via RPM. Maybe the tarball
install should do this too? Opinions?

Applied patch from R Anderson (listbox(a)pole-position.org) which
improves the way ICMP port unreachables from intermediate hosts
are handled during UDP scans.

Added note to man page related to Nmap US export control. I
believe Nmap falls under ECCN 5D992, which has no special
restrictions beyond the standard export denial to a handful of
rogue nations such as Iraq and North Korea.

Added a warning that some hosts may be skipped and/or repeated
when someone tries to --resume a --randomize_hosts scan. This
was suggested by Crayden Mantelium (crayden(a)sensewave.com)

Applied patch by Max Schubert (nmap(a)webwizarddesign.com) which adds
an add-port XML tag whenever a new port is found open when Nmap is
running in verbose mode. The new tag looks like:
<addport state="open" portid="22" protocol="tcp"/>
I also updated docs/nmap.dtd to recognize this new tag.

Added German translation of Nmap man page by Marc Ruef
(marc.ruef(a)computec.ch). It is also available at
https://nmap.org/man/de/

Includes a brand new French translation of the man page by Sebastien
Blanchet. You could probably guess that it is available at
https://nmap.org/man/fr/

Applied some patches from Chad Loder (cloder(a)loder.us) which update
the random IP allocation pool and improve OpenBSD support. Some
were from the OBSD Nmap patchlist.

Added --min_parallelism option, which makes scans more aggressive
and MUCH faster in certain situations -- especially against
firewalled hosts. It is basically the opposite of --max_parallelism
(-M). Note that reliability can be lost if you push it too far.

Added --packet_trace option, which tells Nmap to display all of the
packets it sends and receives in a format similar to tcpdump. I
mostly added this for debugging purposes, but people wishing to learn
how Nmap works or for experts wanting to ensure Nmap is doing
exactly what they expect. If you want this feature supported under
Windows, please send me a patch :).

Fixed a segmentation fault in Idlescan (-sI).

Made Idlescan timing more conservative when -P0 is specified to
improve accuracy.

Fixed an infinite-loop condition that could occur during certain
dropped-packet scenarios in an Idle scan.

Nmap now reports execution times to millisecond precision (rather
than rounding to the nearest second).

IPv6 is now supported for TCP scan (-sT), connect()-style ping
scan (-sP), and list scan (-sL)! Just specify the -6 option and the
IPv6 numbers or DNS names. Netmask notation is not currently
supported -- I'm not sure how useful it is for IPv6, where even petty
end users may be allocated trillions of addresses (/80). If you
need one of the scan types that hasn't been ported yet, give
Sebastien Peterson's patch a try at http://nmap6.sourceforge.net/ .
If there is demand, I may integrate more of that into Nmap.

Major code restructuring, which included conversion to C++ -- so
you'll need g++ or another C++ compiler. I accidentally let a C++
requirement slip in a while back and found that almost everyone has
such a compiler. Windows (VC++) users: see the README-WIN32 for new
compilation instructions.

Applied patch from Axel Nennker (Axel.Nennker(a)t-systems.com) which
adds a --without-nmapfe option to the configure script. This is
useful if your system doesn't have the proper libraries (e.g. GTK) or
if you think GUIs are for sissies :).

I removed "credit" lines from the nmap-os-fingerprints file out of
concern that evil spammers might harvest the 602 addresses. Plus
those took up 28K and the size of nmap-os-fingerprints has already
caused trouble for some handheld devices. If anyone actually cares
about the "fame" of being listed, let me know and I'll put you back
in. I still appreciate everyone who submits fingerprints! I just
don't want you to be spammed when the fingerprint file goes online.

Made SYN scan the default for privileged (root) users. This offers
far better performance for Windows users due to their broken
connect() call, and is usually even preferred on UNIX because it is
more stealthy and less likely to crash applications listening on the
target host.

Changed NmapFE to use the version number 2.54BETA36 rather than
0.2.54BETA36. I had to do this because RedHat took the liberty of
releasing a so-called "2.54BETA31" version of nmap-frontend in their
7.3 distribution. Thus my upgrades were failing to install on such
systems because a "later" version is already installed.

Applied patch from Andy Lutomirski (Luto(a)myrealbox.com) which fixes
some important Windows bugs. Apparently this can cause a dramatic
speedup in some circumstances. The patch had other misc. changes
too.

Fix bug noted by Chris V (iselldrugstokidsonline(a)yahoo.com) in which
Nmap could segmentation fault with the (bogus) command: './nmap -sO
-p 1-65535 hostname' (protocol only can go up to 255). That being
said, Nmap should never segfault just because of bogus options.

Fixed problem noted by Maximiliano (emax25(a)arnet.com.ar) where Nmap
would get stuck in a (nearly) infinite loop when you try to "resume"
a random host (-iR) scan.

Included a number of fingerprint updates, but I still have many more
web submissions to go through. Also made some nmap-services
portlist updates.

Included a bunch of fixes (mostly to prevent compiler warnings) from
William McVey (wam(a)cisco.com)

Added a Document Type Definition (DTD) for the Nmap XML output
format (-oX) to the docs directory. This allows validating parsers
to check nmap XML output files for correctness. It is also useful
for application programmers to understand the XML output structure.
The DTD was written by William McVey (wam(a)cisco.com) of Cisco Secure
Consulting Services ( http://www.cisco.com/go/securityconsulting ).

Merged in a number of Windows fixes/updates from Andy Lutomirski
(Luto(a)myrealbox.com)

Merged in fixes/updates (mostly to the Windows functionality) from
Matt Hargett (matt(a)use.net)

Applied patch by Colin Phipps (cph(a)netcraft.com) which correctly
encodes special characters in the XML output.

Applied patch by William McVey (wam(a)cisco.com) which adds the uptime
information printed with -O to the XML output format.

Fixed byte-order bug in Windows packet matching code which caused
-PS and -PT to fail. Bug found and patch sent by Tim Adam.

Fixed segfault problem with "-sU -F". Nobody reported this until I
noticed it :(. Anytime you see "Segmentation Fault" in the latest
version of Nmap, it is probably a bug -- please mail me the command
you used, the OS/platform you are running on, and whether it is
reproducable.

Added a convenience option "-oA (basefilename)". This tells Nmap to
log in ALL the major formats (normal, grepable, and XML). You give
a base for the filename, and the output files will be base.nmap,
base.gnmap, and base.xml.

Documented the --append_output option which tells Nmap to append
scan results to any output files you have specified rather than
overwriting the files.

Integrated William McVey's multi-portlist patch. This allows you to
specify different port numbers when scanning both TCP & UDP. For
example, if you want to UDP for 53,111 and 137 while TCP scanning
for 21-25,80,139,515,6000,8080 you could do: nmap -sSU -p
U:53,111,137,T:21-25,80,139,515,6000,8080 target.com . Prior to
this patch, you had to either use different Nmap executions or scan
both UDP & TCP of each port. See the man page for more usage info.

Fixed portscan timing bug found by H D Moore (hdm(a)secureaustin.com).
This bug can occur when you specify a --max_rtt_timeout but not
--initial_rtt_timeout and then scan certain firewalled hosts.

Fixed port number printing bug found by "Stephen Leavitt"
(stephen_j_leavitt(a)hotmail.com)

The Nmap source tarball now extracts with more lenient permissions
(sometimes world-readable or world-executable, but never
world-writable). If you don't want this, set your umask to 077
(which is what I do). Suggested by Line Printer (lps(a)rahul.net)

Fixed bug that caused "adding open port" messages to be printed even
when verbose mode was not specified (patch sent by Doug Hoyte).

Fixed bug in zombie:port option parsing in Idlescan as well a few
other bugs in patch sent by Germano Caronni (gec(a)acm.org)

Fixed Windows compilation (I broke it when I added Idlescan).

Fixed a (Win32 only) port identification bug which would cause some
ports to be listed as "unknown" even when Nmap should know their
name. This was found at patched by David Griffiths
(davidg(a)intrinsica.co.uk).

Fixed more nmap-os-fingerprints syntax/grammar violations found by
Raymond Mercier of VIGILANTe

Fixed a memory leak in Nbase str*casecmp() functions by applying
patch sent by Matt (matt(a)use.net). I plan to kill this whole
strcasecmp.c file as soon as possible (it is a mess).

Fixed an OS fingerprinting bug that caused many extra packets to be
sent if you request a lot of decoys.

Added some debug code to help diagnose the "Unknown datalink type"
error. If Nmap is giving you this error, please send the following
info to fyodor@insecure.org : 1) The full output from Nmap
(including the command arguments) 2) What OS and OS version are you
using 3) What type of adaptor are you using (modem, ethernet, FDDI,
etc)

Upgraded Libpcap to the latest version (0.6.2) from tcpdump.org. I
modified the build system slightly by shipping pre-generated
scanner.c/grammer.c (instead of using lex/yacc) and I also upgraded
to the newest config.sub/config.guess .

Fixed some issues with the new Libpcap under Linux (patches will be
sent to the developers).

Added "All zeros" IP.ID sequence classification to account for the
new Linux 2.4 scheme which seems to use 0 whenever the DF bit is set
(probably a good idea).

I ported NmapFE to Windows so that Win32 users can use the graphical
interface. It generally works, although I haven't tested much.
Patches welcome!

Various little fixes and cleanups, especially to the Windows port.

Applied patch from Andy Lutomirski (Luto(a)mailandnews.com) which
enhances some of the Win* error messages and adds the --win_trace
debugging option.

Applied some patches from Jay Freeman (saurik(a)saurik.com)

New --data_length option adds indicated number of random data
bytes to send with scan packet and tcp ping packet (does not
currently work with ICMP ping packet). Does not affect OS
detection, RPC, or connect() scan packets.

Windows portability fixes

Various other little fixes.

Renamed rpc.h and error.h because they conflict with Windows include
files. By the way, this was a pain to figure out because VC++ is
such a crappy compiler! It basically just says problem in
"foobar.h" without giving you any idea how foobar.h got included!
gcc gives you a nice message tracing the chain of include files!

Took out C++ compiler test from nbase configure script. It was
inserted accidently, but I found it interesting that only 2 people
complained about this causing them problems. I guess most everyone
already has C++ compilers.

Applied patch from Hubert Feyrer
(hubert.feyrer(a)informatik.fh-regensburg.de) which adds support for
the new NetBSD DLT_PPP_* types.

Updated to Eilon Gishri's (eilon(a)aristo.tau.ac.il) newest version
of nmap-rpc at ftp://ftp.tau.ac.il/pub/users/eilon/rpc/rpc

Moved a bunch of the scanning engine related functions to new files
(scan_engine.c and scan_engine.h ). Timing functions were moved to
the new timing.c/timing.h . Other stuff was shifted to
tcpip.c/tcpip.h. At some point, nmap.c will only contain the Nmap
command line UI.

Added XML output (-oX). Hopefully this will help those of you
writing Nmap front ends and other tools that utilize Nmap. The
"machine-readable" output has been renamed "grepable" (-oG) to
emphasize that XML is now the preferred machine-readable output
format. But don't worry if your tool uses -oM , that format (and
the deprecated -oM flag) won't go away any time soon (if ever).
Thanks to Stou Sandalski (tangui(a)cell2000.net) and Fredrick Paul
Eisele (phreed(a)gmail.com) for sending proposals that inspired the
format used.

Applied patch from Stefan Rapp (s.rapp(a)hrz.uni-dortmund.de) which
fixes a variable argument integer promotion problem in the new
snprintf compatibility file. This is important for Redhat 7
systems.

Reorganized output-related routines so that they now reside in
output.c & output.h. Let me know if I accidently screwed up the
behavior of any scan types in the process.

Revamped the 'compatibility libraries' subsystem. Moved all of that
to a new library called 'libnbase' and changed Nmap and NmapFE to
use that. I included a better version of *snprintf and some other
compatibility files. Obviously I cannot test these changes on every
whacked OS that needs this compatibility cruft, so please let me
know if you run into compilation problems.

Fixed a problem found by Martyn Tovey (martyn(a)netcraft.com) when
using Nmap on platforms that dislike division by zero.

Upgraded to the very latest Libpcap version ( the 9/3/00 CVS
snapshot ). This version is from the tcpdump.org group rather than
the Lawrence Livermore crew. The most important advantage is Linux
Socket Filter support (so you won't have that annoying syslog
message about Nmap using the obsolete SOCK_PACKET interface).

I tried to install Nmap on yet another machine without lex/yacc or
flex/bison. That was the last straw! I am now shipping the
generated C files, which eliminates the lex/yacc requirement.

Applied patch by Jay Freeman (saurik) (saurik(a)saurik.com) to make
Nmap C++-clean (this was lot of tedious work! Thanks!). Note that
Nmap still uses a normal C compiler by default, but Nmap derivatives
may appreciate C++ compatibility. Note that this only applies to
"Nmap proper", not libpcap.

Added a HACKING file for people who want to help with Nmap
development. It describes preferred patch formats, development
resources, and offers a number of useful changes that would likely
be accepted into the main tree.

Fixed a configure.in error found by Vacuum
(vacuum(a)technotronic.com) which could cause compilation errors.

Fingerprint file adjustments for better Win* detection

Ensure libpcap is not configured and/or installed if you already
have a "new enough" version (0.4a6+) installed.

Added an "SInfo" line to most printed fingerprints. It looks
similar to this:
SInfo(V=2.54BETA4%P=i686-pc-linux-gnu%D=9/4%Time=9681031%O=7%C=1)
and contains information useful when fingerprints are reported (Nmap
version/platform, scan date, and open/closed ports used)

Fixed RPCGrind (-sR) scan. It has been almost completely broken
since 2.54BETA2 (which has been out for two weeks) and nobody
reported it! I noticed the problem myself during testing of
something else. I am disappointed that nobody bothered to even let
me know that this was broken. Does anyone even use RPC Scan?

Went through and added/adjusted a bunch of fingerprints. A lot of
people submitted Windows Millenium Edition (WinME) beta
fingerprints, but nobody submitted IPs for them. So please let me
know if this version detects your WinME boxes.

Applied NmapFE patch from Michael Fischer v. Mollard (mfvm(a)gmx.de)
which made did the following:

Added delete event so that NmapFE always quits when you kill it
with your window manager

Added a shortcut which can make single port SYN scans of a network
much faster. For example, if a new sendmail vulnerability is found,
this reduces the time it takes to scan your whole network for port
25. This shortcut takes effect when you do "-PS[port] -sS
-p[port]". For example 'nmap -n -sS -p25 -PS25 24.0.0.0/8". This
optimization doubled the scan speed in a 30,000 IP test I performed.

Added -sL (List scan). Just as ping scan (-sP) allows you to short
circuit the scan right after pinging, -sL allows you to short
circuit the scan right after target selection. This allows you to
see what hosts WOULD be scanned without actually doing it. The
hosts will be resolved unles you use -n. Primary uses:

Get all the IPs in a network (like A.B.C.D/16) and take out
machines that are too fragile to be scanned safely before
calling Nmap with the new list (using -iL).

Test that a complex spec like 128.4,5,7-9.*.7 does what you
expect before actual scanning.

When all you want to do is resolve a bunch of IPs.

You just want results of a zone transfer (if it is implemented).

Added some new fingerprints and adjusted some others based on
submissions to the DB (I still have a lot more to go through so
don't worry if your submission is still not detected).

Added a warning when you scan 0 hosts (eg "nmap -v"). There are
various other output tweaks as well.

Ensured that 0.0.0.0 can be scanned by nmap (although on some OSs,
like Linux, it won't work due to what seem to be kernel bugs). Oh
well. I'll look into it later.

Added an extremely cool scan type by Gerhard Rieger ( rieger at
iue.tuwien.ac.at ) -- IP Protocol scanning. Basically it sends a
bunch of IP headers (no data) with different "protocol" fields to
the host. The host then (usually) sends back a protocol unreachable
for those that it does not support. By exclusion, nmap can make a
list of those that are supported. This is similar in concept to
(and is implemented using most of the same scanning routines as) UDP
scanning. Note that some hosts do not send back protocol
unreachables -- in that case all protocols will appear "open".

Added very simple man pages for xnmap/nmapfe (lack of man pages for
these was noticed by LaMont Jones (lamont(a)hp.com), the Debian Nmap
package maintainer, based on bug report by Adrian Bunk
(bunk(a)fs.tum.de ).

Changed makefile/rpm to store fingerprint, rpc, and services file in
$prefix/share/nmap rather than $prefix/lib/nmap , since these files
are architecture independent. You should now use ./configure
--datadir instead of ./configure --libdir to change the default
location. Suggested by Thomas Klausner
(wiz(a)danbala.ifoer.tuwien.ac.at).

I am now including Eilon Gishri's (eilon(a)aristo.tau.ac.il) rpc
number list (which he recently merged with the Nmap 2.50 rpc list).

Included Spanish and French HTML versions of the Nmap man page (may
not always be up to date).

Fixed an IP calculation error which could occur in some cases where
you scan machines on different devices (like lo and eth0). This
problem was discoved by Jonathan Fine (jfine(a)psu.edu).

Fixed a problem that could, in rare cases, cause a SYN scan scan to
crash (the error message was "attempt to add port number X with
illegal state 0"). This problem was reported by Erik Benner
(erik(a)xyzzy.net)

Changed the .spec file so that RPM versions create a xnmap link to
nmapfe ( the normal make install has done this for a long time ).

A number of people reported problems with nmapfe in various
environments (specifically gdk errors, hangs, and crashes). I think
that is now fixed. Let me know if you still have the problem (make
sure the title bar says BETA21).

Added a bunch of OS fingerprints based on all the contributions in
the last month or so.

Fixed a bug that completely broke RPC scanning in BETA19.

Added list of ports scanned near the top of each machine log WHEN
-v was specified. Here is an example of the format:
# Ports scanned: TCP(13;1-10,22,25) UDP(0;)
The "13" above is the number of TCP ports being scanned.

Got rid of a snprintf() from nmapfe sine some systems don't have it
:( and I'm to lazy to integrate in the snprintf that comes with nmap
right now.

Applied patch to services.c by Andrew Brown (atatat(a)atatdot.net)
which prevents some useless debugging (-d) output when reading some
kindss of /etc/services files.

Added "Host: [machinename] (ip) Status: Down" to machine logs when
the verbose option is given (just like down hosts are reported to
stdout when verbose is given). Suggested by Alek Komarnitsky.

Applied NetBSD compatibility patch provided by Mipam (reinoud at
ibbnet.org) which changes an autoconf macro to check for
getopt_long_only instead of getopt_long.

Nmap used to print an inaccuracy warning when no open TCP ports were
found on the target machine. Due to a bug, this was not always
being printed. Problem found by Matt (matt at use.net) and Ajay
Gupta2 (Ajay.Gupta2 at ey.com).

Added the number of ports in the ignored state right after the state
name in machine parseable logs. It used to looke like: "Ignored
State: closed" whereas now it looks like: "Ignored State: closed
(1508)" Meaning that 1508 ports were closed and thus are not
specifically enumerated.

Changed all nmapfe calls to gdk_font_load into gdk_fontset_load .
Bennett Feitell (bfeitell at panix.com) suggested that this fixed
some nmapfe font problems.

Tweaked the output so that it now tells how many ports are not shown
and what state the ignored ports are in. This info could be
inferred before by people who had studied the manpage, but now the
info is explicitly available. I cleaned up a bunch of stuff
internally to make this happen. I hope I didn't break anything!

Changed NmapFE so that it always kills any running Nmap process when
you press exit. Problem noted by Marc Renner
(mrenner(a)ci.marysville.wa.us)

Apparently some Linux (glibc) systems now come with a "strcasestr"
function. So I have made autoconf look for this and use the native
version if supported (problem noted by Sami Farin
(sfarin(a)ratol.fi)).

Added a new attribute "Ignored State: xxx" to the machine parseable
logs, where xxx is the state (closed, filtered, or UNfiltered) that
is being ignored. Ports in that state are not listed (they weren't
listed in earlier versions either). Perhaps I should list ALL ports
for machine parseable output. Opinions?

Merged in a patch sent in by Mipam (reinoud(a)ibbnet.org) which is
apparently part of the OpenBSD Nmap "port". Although Nmap seems to
work fine for me on my OpenBSD 2.4 box, a couple OpenBSD users have
complained of problems. Hopefully this will help (it adds DLT_LOOP
and DLT_ENC offset cases when reading from libpcap).

Fixed a very important bug that occurred when SYN scanning
localhost. Many thanks to Dries Schellekens (
gwyllion(a)ace.ulyssis.student.kuleuven.ac.be ) for first reporting
the problem.

Uros Prestor from TurboLinux informed us that the latest versions of
Nmap work with Linux on the upcoming Intel Merced/Itanium IA-64
processors. He also said that the TurboLinux distribution includes
Nmap. Kudos to them! As well as the other distros that support
Nmap (Debian, Red Hat, Suse, Trinux) and of course FreeBSD, NetBSD,
& OpenBSD. Does anyone know if Nmap ships with the latest from
Mandrake or Corel? The latest Solaris includes some Free software.
If anyone can get them to ship Nmap, I will buy you a case of beer
:).

Added a #define to change vsnprintf to vsprintf on machines which do
not support the former (mostly Solaris 2.5.1 and earlier). This
function is less safe. For people who care about security, we
recommend an upgrade to Solaris 8 (or Linux/*BSD).

Changed the NmapFE version to 0.[nmap_version] rather than always
leaving it at 0.9.5 (which was confusing). Thanks to J.D.K. Chipps
(jdkc(a)woptura.com) for noticing this.

Added support for "-vv" (means the same as "-v -v"). Older versions
of Nmap supported it (noted by George Kurtz).

Added ACK scanning. This scan technique (which van Houser and
others have been bugging me to add for years :), is great for
testing firewall rulesets. It can NOT find open ports, but it can
distinguish between filtered/unfilterd by sending an ACK packet to
each port and waiting for a RST to come back. Filtered ports will
not send back a RST (or will send ICMP unreachables). This scan
type is activated with -sA .

Documented the Window scan (-sW) which Lamont Granquist added in
September 99.

Added a whole bunch of OS fingerprints that people have submitted.

"Protocol" field in output eliminated. It is now printed right next
to the number (/etc/services style). Like "22/tcp". I wonder what
I should put in the extra white space this leaves on the report :).

Added --resume option to continue a large network scan where you
left off. This is useful for recovering from errors (modem drops
carrier, network outage, etc). It also allows you to start and stop
for policy reasons (like if a client only wants you to scan on
weekends or at night) or if you want to run the scan on a different
host. Usage is 'nmap --resume logfile' where logfile can be either
normal (-oN) or machine parseable (-oM) logfile from the scan that
was aborted. No other options can be given (the options in the
logfile from the original scan will be used). Nmap will start off
with the host after the last one successfully scanned in the log
file.

Added --append_output option which causes -oN/-oM/-oS to APPEND to
the output file you specify rather than overwriting it.

Various internal code cleanup, makefile fixes, etc.

Changed version number from 2.3BETA* to 2.30BETA* to appease various
packaging systems that thought 2.3BETA was < 2.12 .

Nmap output to files now correctly flushes output after scanning for
each host is finished.

Fixed configure scripts so that options you give to the Nmap
configure (like --prefix ) are also passed to the nmapfe configure
script. This problem was noted by Ralf Hildebrandt
(R.Hildebrandt(a)tu-bs.de). While I was at it, I added some other
cleanups to the system.

Added --noninteractive option for when nmap is called from scripts
(where stuff like prompting users for info is unacceptable). It
does not currently do anything (Nmap never prompts) and script
writers should probably wait until at least May '2000 so their
scripts still work with earlier versions of Nmap.

Updated to the latest config.guess and config.sub from Autoconf 2.13

Applied patch by Sven (s.carstens(a)gmx.de> which fixes a
segmentation fault problem in Nmapfe colored mode as well as some
output niceties.

Peter Kosinar (goober(a)gjh.sk) performed some cleanup of the output
routines and as a bonus he added skript kiddie output mode!!! Try
it out by adding "-oS - " to your nmap command line. Note that
using '-' to represent stdout instead of a filename is something you
can do with any of the output modes.

Ensured that Nmap always gives up on ident scan after the first port
attempt finds it to be closed (problem noticed by Matt
(matt(a)use.net))

Changed strsep's in nmapfe to more portable strtok's (should
especially help Nmapfe compiles on Solaris)

Changed permutation algorithm to make port order and host order
shuffling more random.

Various minor changes and internal code cleanup.

Fixed integer overflow that was limiting the max --host_timeout
value to about 2,000,000 milliseconds (~1/2 hour). The limit is now
about 4,000,000,000 milliseconds (~1 month). I really hope you
don't need more than that :).

Added interactive mode which adds convenience for managing nmap
sessions and also enhances privacy. Get to it with --interactive
and then type 'h' for help.

Added/modified many fingerprints including the latest 2.3.X Linux
releases, the latest Win2000 builds, the Apple Airport Wireless
device, and several dozen more.

Migrated to RPM .spec file sent in by Tim Powers
(timp(a)redhat.com). That is the file they will be using to package
Nmap with the power tools CD in the next Redhat release. The most
important changes are that Nmap (only the RPM version) now installs
in /usr/* instead of /usr/local/* and the frontend is now
dynamically linked with GTK and comes in a separate rpm.

The -i (input from list) option has been deprecated. From now on
you should use -iL [filename] to read from a list or -iR to have
Nmap generate random IPs to scan. This -iR option is new.

The -o and -m options have been deprecated. From now on, you should
use -oN for normal (human readable) output and -oM for machine
parseable output. At some point I might add -oH (HTML output) or
-oSK (sKr|pt kiDdi3 0uTPut).

Added --randomize_hosts option, which causes hosts be be scanned in
non-sequential order. This makes scans less conspicuous. For
efficiency reasons, the hosts are chopped into groups of 2048 and
then each group is internally shuffled (the groups still go in
order).

Rearranged the help ('nmap -h' or 'nmap' or 'nmap --help') screen to
be shorter (37 -> 23 lines!) and include some of the new features of
this release. The man page was updated as well.

Added "firewall mode" timing optimizations which can decrease the
ammount of time neccessary to SYN or connect scan some heavily
filtered hosts.

Added min_rtt_timeout timing option (see man page for details)

Changed "TCP Ping" to use a random ACK value rather than 0 (an IDS
called Snort was using this to detect Nmap TCP Pings).

Some changes for better Alpha/Linux support based on investigation
by Bill Beers (wbeers(a)carolina.rr.com)

Applied changes for FDDI support by Tobias J. Nijweide (tobias(a)mesa.nl)

Applied a socket binding patch from LaMont Jones
(lamont(a)security.hp.com) which can be useful when using -S to
specify one of multiple interfaces on a machine.

Made OS detection smart enough to first check scan results for a
known closed port instead of immediately resorting to a random one.
This improves OS detection against some machines behind packet
filters (suggested by van Hauser).

Applied a shortcut suggestion by Thomas Reinke which can lead to a
tremendous speedup against some firewalled hosts.

Added some ports commonly used for RPC to nmap-services

Fixed a problem with the timing of an RPC scan (could come before
the UDP scans they rely on)

Added sophisticated timing controls to give the user much more
control over Nmap's speed. This allows you to make Nmap much more
aggressive to scan hosts faster, or you can make Nmap more "polite"
-- slower but less likely to wreak havoc on your Network. You can
even enforce large delays between sending packets to sneak under IDS
thresholds and prevent detection. See the new "Timing Options"
section of the Nmap man page for more information on using this.

Applied Lamont Granquist's (lamontg(a)u.washington.edu) Window scan
patch (I changed the name from ACK scan to Window scan since I may
add another scan that uses ACK packets and I don't want them to be
confused). -sW activates this scan type. It is mostly effective
against BSD, AIX, Digital UNIX, and various older HP/UX, SunOS, and
VAX (See nmap-hackers mailing list archives for an extensive list).

Added various long options people expect to see like --version ,
--help , --usage , etc. Some of the new timing options are also long.
I had to add getopt_long C files since most non-Linux boxes don't
support getopt_long in libc.

Human readable (-o) output changed to include the time/date of the
scan. Suggested by van Hauser.

Changed RPC output based on suggestions by David O'Brien
(obrien(a)NUXI.com) and Lance Spitzner (lance(a)spitzner.net). I
got rid of the "(Non-RPC)" unnecessary clutter which appeared after
each non RPC port and the "(untested)" that appeard after each
"filtered" port.

Added a ton of new OS fingerprints people submitted. I had about
400 in my inbox. Of course, almost 100 of them were submissions for
www.windows2000test.com :).

Changed the machine parseable output of RPC information to include
the version information. If we figured out the RPC info, it is now
provided as "program-num*lowversion-highversion". If we didn't get
the number, but we think the port is RPC, the field simply contains
"R". If we believe the port is NOT RPC, then the field contains
"N". If the field is empty, we did not RPC scan the port. Thanks
to H D Moore (nlog(a)ings.com) for making me aware how much the
earlier machine parseable RPC logging sucked :).

Added direct (non-portmapper) RPC scanning to determine what RPC
program is listening on a particular port. This works for UDP and
TCP ports and is currently implemented using sockets (which means
you can't use decoys, but on the other hand you don't have to be
root). Thanks go to ga (ga(a)capyork.com) for writing sample code
to demonstrate the technique. The RPC services list included with
nmap was compiled by Vik Bajaj (vbajaj(a)sas.upenn.edu) with help
from various members of the nmap-hackers list.

Fixed a problem that could cause freezes when you scan machines on
at least two different types of interfaces as part of the same
command.

Identified and found workaround for Linux kernel bug which allows
connect() to sometimes succeed inapropriately when scanning closed
ports on localhost.

Fixed problems relating to people who specify the same port more
than once on the command line. While the right answer is "well,
don't do that!", I decided to fix nmap to handle this gracefully.

Tweaked UDP scanning to be more effective against Solaris ICMP error
limiting.

Added a note in the man page that Nmap 2.0+ is believed to be
COMPLETELY Y2K COMPLIANT! I've been getting a lot of letters from
laywers about that recently. You should still be able to port scan
on Jan 1st (well ... as long as you have electricity and gangs of
looting thugs haven't stolen your computers :)

Integrated nmapfe code from Zach Smith to allow the nmapfe output
window to resize when you resize the nmapfe window.

Integrated patch sent in by Stefan Erben (stefan(a)erben.com) which
allows nmap to recognize and ignore null interfaces. If you were
getting a bogus error like "eth0 not found in /proc/net/route" then
this should solve your problem.

Applied patch from Alexander Savelyev (fano(a)ham.kiev.ua) which
gives nmap the parameters necessary to support SLIP and PPP on BSDI
systems.

Changed the way tcp connect() scan determines the results of a
connect() call. Hopefully this will make nmap a little more
portable.

Got rid of the security warning message for people who are missing
/dev/random and /dev/urandom due to complaints about the warning.
This only silences the warnings -- it still uses relatively weak
random number generation under Solaris and other systems that lack
this functionality.

Eliminated pow() calls on Linux boxes. I think some sort of glibc
bug was causing nmap to sigsegv in some cases inside of pow(). Most
people weren't affected, but those who were would almost always
SIGSEGV with -O.

Many new fingerprints added. I received more than 300 submissions
between this release and the last one.

Fixed IRIX problems which prevented OS scanning from working on that
platform. The problem was researched and solution found by Lamont
Granquist (lamontg(a)u.washington.edu). You can also thank him for
porting nmap to almost every UNIX around.

Added support for '-m -' to redirect machine readable logs to stdout
for shell pipelining, etc. I also changed machine readable output
to show service names now that we use a nmap specific services file
rather than /etc/services. These features were suggested by Dan
Farmer. You can also thank him for SATAN (the auditing tool).

Fixed a link-list bug that could cause hangs in UDP,FIN,NULL, and
XMAS scans. Also fixed a ptr problem that could cause SIGSEGV.
These problem were discovered and tracked down by Ben Laurie
(ben(a)algroup.co.uk). You can also thank him for Apache, OpenSSL,
and Apache-SSL.

Fixed installation problem for people without a /usr/local/man/man1
directory. Found by Jeffrey Robertson (a-jeffro(a)microsoft.com).
I guess you can thank him for Win98 ;).

Several other little fixes to the installation script and minor
scanner tweaks.

Fixed a lockup on Solaris (and perhaps other proprietary UNIX
systems) caused by a lack of /dev/random & /dev/urandom and a rand()
that only returns values up to 65535. Users of Free operating
systems like Linux, FreeBSD, or OpenBSD probably shouldn't bother
upgrading.

Tons of new fingerprints. The number has grown by more than 25%.
In particular, Charles M. Hannum (root(a)ihack.net) fixed several
problems with NetBSD that made it easy to fingerprint and he sent me
a huge new batch of fingerprints for various NetBSD releases down to
1.2. Other people sent NetBSD fingerprints down to 1.0. I finally
got some early Linux fingerprints in (down to 1.09).

Nmap now comes with its own nmap-services which I created by merging
the /etc/services from a bunch of OS' and then adding Netbus, Back
Orifice, etc.

Random number generation now takes advantage of the /dev/urandom or
/dev/random that most Free operating systems offer.

Increased the maximum number of OS guesses nmap will make, told nmap
never to give you two matches where the OS names are byte-to-byte
equivalent. Fixed nmap to differentiate between "no OS matches
found" and "too many OS matches to list".

Fixed the problem noted by Savva Uspensky about offsets used for
various operating systems' PPP/SLIP headers. Due to lack of
responses regarding other operating systems, I have made assumptions
about what works for BSDI, NetBSD, and SOLARIS. If this version no
longer works on your modem, please let me know (and tell me whether
you are using SLIP/PPP and what OS you are running).

Machine parseable logs are now more machine parseable (I now use a
tab to seperate test result fields rather than the more ambiguous
spaces. This may break a few things which rely on the old format.
Sorry. They should be easy to fix.

Added my nmap-fingerprintinting-article.txt to the distribution in
the docs directory.

Fixed problem where nmap -sS (my_ethernet_or_ppp_ip_address) would
not correctly scan localhost (due to the kernel rerouting the
traffic through localhost). Nmap should now detect and work around
this behavior.

Applied patch sent to my by Bill Fenner (fenner(a)parc.xerox.com)
which fixes various SunOS compatibility problems.

Changed the makefile 'all' target to use install-sh rather than
mkdir -p (doesn't work on some systems)